feat: relax flag validation for test/monitor commands

[paulrosca-snyk]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages
  are release-note ready, emphasizing
  what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Relaxes the flag validation for snyk test and snyk monitor so that the command can be routed to the new flow (e.g reachability) even when an unknown flag is being passed.

Where should the reviewer start?

How should this be manually tested?

Running snyk test --reachability --foo-bar should return the vulnerability information enriched with reachability signals.

What's the product update that needs to be communicated to CLI users?

N/A

Risk assessment (Low | Medium | High)?

Low. This only impacts customers which use the new testing flow, and the impact should be positive.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[PeterSchafer]

Suggestion: check the exit code it shouldn't be 2

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

External call assumptions: None.

🔒 No security concerns identified

⚡ Recommended focus areas for review Behavioral Change (2 occurrences) 🟡 [minor] cliv2/cmd/cliv2/behavior/legacy/validation.go The addition of --json and --sarif to incompatibleFlagRules (lines 48-49) prevents users from specifying both flags simultaneously. While this is likely intended for clarity, it represents a breaking change for users who may have included both in automated scripts where one flag was previously ignored or took precedence. cliv2/cmd/cliv2/behavior/legacy/validation.go Enabling cmd.FParseErrWhitelist.UnknownFlags = true in SetupTestMonitorCommand means that typos in standard flags (e.g., --jsson instead of --json) will no longer be caught by the Cobra parser for the test and monitor commands. These will instead be passed to the legacy CLI or ignored, potentially causing unexpected behavior if the user assumes a flag is active when it is not.

📚 Repository Context Analyzed This review considered 9 relevant code sections from 8 files (average relevance: 0.79) cliv2/cmd/cliv2/behavior/legacy/validation.go (lines 1-98) cliv2/cmd/cliv2/main.go (2 segments, lines 1-92) scripts/upgrade-snyk-go-dependencies.go (lines 1-134) package.json (lines 1-100) help/cli-commands/test.md (lines 201-300) cliv2/cmd/cliv2/exitcode.go (lines 1-196) cliv2/cmd/cliv2/errorhandling.go (lines 1-104) ... and 1 more file(s)