Add global --skip-tls-verify flag for self-signed certs

command/auth/login/login.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/deepsourcelabs/cli/command/cmddeps"
+	"github.com/deepsourcelabs/cli/command/cmdutil"
 	"github.com/deepsourcelabs/cli/config"
 	"github.com/deepsourcelabs/cli/deepsource"
 	"github.com/deepsourcelabs/cli/internal/cli/args"
@@ -59,7 +60,7 @@ func NewCmdLoginWithDeps(deps *cmddeps.Deps) *cobra.Command {
 		Long:  doc,
 		Args:  args.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return opts.Run()
+			return opts.Run(cmd)
 		},
 	}
 
@@ -72,7 +73,7 @@ func NewCmdLoginWithDeps(deps *cmddeps.Deps) *cobra.Command {
 	return cmd
 }
 
-func (opts *LoginOptions) Run() (err error) {
+func (opts *LoginOptions) Run(cmd *cobra.Command) (err error) {
 	var cfgMgr *config.Manager
 	if opts.deps != nil && opts.deps.ConfigMgr != nil {
 		cfgMgr = opts.deps.ConfigMgr
@@ -94,6 +95,9 @@ func (opts *LoginOptions) Run() (err error) {
 	opts.User = cfg.User
 	opts.TokenExpired = cfg.IsExpired()
 
+	// Resolve skip-tls-verify: flag > env > config
+	cfg.SkipTLSVerify = cmdutil.ResolveSkipTLSVerify(cmd, cfg.SkipTLSVerify)
+
 	opts.verifyTokenWithServer(cfg, svc)
 
 	if opts.Interactive {

command/auth/login/tests/login_test.go

@@ -245,6 +245,69 @@ func TestLoginVerifyTokenServerReject(t *testing.T) {
 	}
 }
 
+func TestLoginPATSkipTLSVerifyNotPersisted(t *testing.T) {
+	cfgMgr := testutil.CreateExpiredTestConfigManager(t, "", "deepsource.com", "")
+
+	deps := &cmddeps.Deps{
+		ConfigMgr: cfgMgr,
+		Client:    newMockViewerClient(t),
+	}
+
+	cmd := loginCmd.NewCmdLoginWithDeps(deps)
+	cmd.SetArgs([]string{"--with-token", "dsp_noskip"})
+
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	cfg, err := cfgMgr.Load()
+	if err != nil {
+		t.Fatalf("failed to load config: %v", err)
+	}
+	if cfg.SkipTLSVerify {
+		t.Error("expected SkipTLSVerify=false when flag is not set")
+	}
+}
+
+func TestLoginPATSkipTLSVerifyFromConfig(t *testing.T) {
+	// Write a config with SkipTLSVerify already set to true
+	tmpDir := t.TempDir()
+	fs := adapters.NewOSFileSystem()
+	cfgMgr := config.NewManager(fs, func() (string, error) {
+		return tmpDir, nil
+	})
+
+	// Use manager.Write to create valid TOML with expired token + SkipTLSVerify
+	initialCfg := &config.CLIConfig{
+		Host:          "enterprise.example.com",
+		Token:         "",
+		SkipTLSVerify: true,
+	}
+	if err := cfgMgr.Write(initialCfg); err != nil {
+		t.Fatalf("failed to write initial config: %v", err)
+	}
+
+	deps := &cmddeps.Deps{
+		ConfigMgr: cfgMgr,
+		Client:    newMockViewerClient(t),
+	}
+
+	cmd := loginCmd.NewCmdLoginWithDeps(deps)
+	cmd.SetArgs([]string{"--with-token", "dsp_skipyes"})
+
+	if err := cmd.Execute(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	cfg, err := cfgMgr.Load()
+	if err != nil {
+		t.Fatalf("failed to load config: %v", err)
+	}
+	if !cfg.SkipTLSVerify {
+		t.Error("expected SkipTLSVerify=true to be preserved from config after login")
+	}
+}
+
 func TestLoginPATInvalidToken(t *testing.T) {
 	cfgMgr := testutil.CreateExpiredTestConfigManager(t, "", "deepsource.com", "")
 

command/auth/status/status.go

@@ -9,13 +9,15 @@ import (
 
 	"github.com/MakeNowJust/heredoc"
 	"github.com/deepsourcelabs/cli/command/cmddeps"
+	"github.com/deepsourcelabs/cli/command/cmdutil"
 	"github.com/deepsourcelabs/cli/config"
 	"github.com/deepsourcelabs/cli/deepsource"
 	dsuser "github.com/deepsourcelabs/cli/deepsource/user"
 	"github.com/deepsourcelabs/cli/internal/cli/args"
 	"github.com/deepsourcelabs/cli/internal/cli/style"
 	clierrors "github.com/deepsourcelabs/cli/internal/errors"
 	"github.com/spf13/cobra"
+
 )
 
 type AuthStatusOptions struct {
@@ -47,13 +49,13 @@ func NewCmdStatusWithDeps(deps *cmddeps.Deps) *cobra.Command {
 		Args:  args.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts := AuthStatusOptions{deps: deps}
-			return opts.Run()
+			return opts.Run(cmd)
 		},
 	}
 	return cmd
 }
 
-func (opts *AuthStatusOptions) Run() error {
+func (opts *AuthStatusOptions) Run(cmd *cobra.Command) error {
 	cfgMgr := opts.configManager()
 	cfg, err := cfgMgr.Load()
 	if err != nil {
@@ -68,7 +70,7 @@ func (opts *AuthStatusOptions) Run() error {
 		return nil
 	}
 
-	client, err := opts.apiClient(cfg, cfgMgr)
+	client, err := opts.apiClient(cmd, cfg, cfgMgr)
 	if err != nil {
 		style.Warnf(opts.stdout(), "Could not connect to DeepSource to verify authentication")
 		return nil
@@ -100,14 +102,15 @@ func (opts *AuthStatusOptions) configManager() *config.Manager {
 	return config.DefaultManager()
 }
 
-func (opts *AuthStatusOptions) apiClient(cfg *config.CLIConfig, cfgMgr *config.Manager) (*deepsource.Client, error) {
+func (opts *AuthStatusOptions) apiClient(cmd *cobra.Command, cfg *config.CLIConfig, cfgMgr *config.Manager) (*deepsource.Client, error) {
 	if opts.deps != nil && opts.deps.Client != nil {
 		return opts.deps.Client, nil
 	}
 	return deepsource.New(deepsource.ClientOpts{
-		Token:            cfg.Token,
-		HostName:         cfg.Host,
-		OnTokenRefreshed: cfgMgr.TokenRefreshCallback(),
+		Token:              cfg.Token,
+		HostName:           cfg.Host,
+		InsecureSkipVerify: cmdutil.ResolveSkipTLSVerify(cmd, cfg.SkipTLSVerify),
+		OnTokenRefreshed:   cfgMgr.TokenRefreshCallback(),
 	})
 }
 

command/cmdutil/tls.go

@@ -0,0 +1,14 @@
+package cmdutil
+
+import "github.com/spf13/cobra"
+
+// ResolveSkipTLSVerify returns true if TLS verification should be skipped.
+// Priority: --skip-tls-verify flag > config value (which includes env var).
+func ResolveSkipTLSVerify(cmd *cobra.Command, cfgValue bool) bool {
+	if cmd != nil {
+		if f := cmd.Root().PersistentFlags().Lookup("skip-tls-verify"); f != nil && f.Changed {
+			return true
+		}
+	}
+	return cfgValue
+}

command/cmdutil/tls_test.go

@@ -0,0 +1,106 @@
+package cmdutil
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+)
+
+func TestResolveSkipTLSVerify(t *testing.T) {
+	tests := []struct {
+		name     string
+		setupCmd func() *cobra.Command
+		cfgValue bool
+		want     bool
+	}{
+		{
+			name:     "nil cmd, cfgValue false",
+			setupCmd: func() *cobra.Command { return nil },
+			cfgValue: false,
+			want:     false,
+		},
+		{
+			name:     "nil cmd, cfgValue true",
+			setupCmd: func() *cobra.Command { return nil },
+			cfgValue: true,
+			want:     true,
+		},
+		{
+			name: "cmd without skip-tls-verify flag, cfgValue false",
+			setupCmd: func() *cobra.Command {
+				return &cobra.Command{Use: "test"}
+			},
+			cfgValue: false,
+			want:     false,
+		},
+		{
+			name: "cmd without skip-tls-verify flag, cfgValue true",
+			setupCmd: func() *cobra.Command {
+				return &cobra.Command{Use: "test"}
+			},
+			cfgValue: true,
+			want:     true,
+		},
+		{
+			name: "cmd with flag not set, cfgValue false",
+			setupCmd: func() *cobra.Command {
+				root := &cobra.Command{Use: "root"}
+				root.PersistentFlags().Bool("skip-tls-verify", false, "")
+				child := &cobra.Command{Use: "child"}
+				root.AddCommand(child)
+				return child
+			},
+			cfgValue: false,
+			want:     false,
+		},
+		{
+			name: "cmd with flag not set, cfgValue true",
+			setupCmd: func() *cobra.Command {
+				root := &cobra.Command{Use: "root"}
+				root.PersistentFlags().Bool("skip-tls-verify", false, "")
+				child := &cobra.Command{Use: "child"}
+				root.AddCommand(child)
+				return child
+			},
+			cfgValue: true,
+			want:     true,
+		},
+		{
+			name: "cmd with flag set, cfgValue false",
+			setupCmd: func() *cobra.Command {
+				root := &cobra.Command{Use: "root"}
+				root.PersistentFlags().Bool("skip-tls-verify", false, "")
+				child := &cobra.Command{Use: "child"}
+				root.AddCommand(child)
+				// Simulate the flag being set on the command line
+				root.PersistentFlags().Set("skip-tls-verify", "true")
+				return child
+			},
+			cfgValue: false,
+			want:     true,
+		},
+		{
+			name: "cmd with flag set, cfgValue true",
+			setupCmd: func() *cobra.Command {
+				root := &cobra.Command{Use: "root"}
+				root.PersistentFlags().Bool("skip-tls-verify", false, "")
+				child := &cobra.Command{Use: "child"}
+				root.AddCommand(child)
+				root.PersistentFlags().Set("skip-tls-verify", "true")
+				return child
+			},
+			cfgValue: true,
+			want:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cmd := tt.setupCmd()
+			got := ResolveSkipTLSVerify(cmd, tt.cfgValue)
+			if got != tt.want {
+				t.Errorf("ResolveSkipTLSVerify() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

command/flags_test.go

@@ -15,6 +15,17 @@ type flagExpectation struct {
 	defaultValue string
 }
 
+func TestRootSkipTLSVerifyFlag(t *testing.T) {
+	cmd := NewCmdRoot()
+	f := cmd.PersistentFlags().Lookup("skip-tls-verify")
+	if f == nil {
+		t.Fatal("expected skip-tls-verify persistent flag on root command, got nil")
+	}
+	if f.DefValue != "false" {
+		t.Errorf("expected default value %q, got %q", "false", f.DefValue)
+	}
+}
+
 func TestFlagDefaults(t *testing.T) {
 	tests := []struct {
 		name      string

command/issues/issues.go

@@ -92,7 +92,7 @@ func NewCmdIssuesWithDeps(deps *cmddeps.Deps) *cobra.Command {
 		Short: "View issues in a repository",
 		Long:  doc,
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opts.Run(cmd.Context())
+			return opts.Run(cmd, cmd.Context())
 		},
 	}
 
@@ -203,7 +203,7 @@ func flagUsageLine(f *pflag.Flag) string {
 	return line
 }
 
-func (opts *IssuesOptions) initClientAndConfig() (*deepsource.Client, *vcs.RemoteData, error) {
+func (opts *IssuesOptions) initClientAndConfig(cmd *cobra.Command) (*deepsource.Client, *vcs.RemoteData, error) {
 	var cfgMgr *config.Manager
 	if opts.deps != nil && opts.deps.ConfigMgr != nil {
 		cfgMgr = opts.deps.ConfigMgr
@@ -228,18 +228,19 @@ func (opts *IssuesOptions) initClientAndConfig() (*deepsource.Client, *vcs.Remot
 		return opts.deps.Client, remote, nil
 	}
 	client, err := deepsource.New(deepsource.ClientOpts{
-		Token:            cfg.Token,
-		HostName:         cfg.Host,
-		OnTokenRefreshed: cfgMgr.TokenRefreshCallback(),
+		Token:              cfg.Token,
+		HostName:           cfg.Host,
+		InsecureSkipVerify: cmdutil.ResolveSkipTLSVerify(cmd, cfg.SkipTLSVerify),
+		OnTokenRefreshed:   cfgMgr.TokenRefreshCallback(),
 	})
 	if err != nil {
 		return nil, nil, err
 	}
 	return client, remote, nil
 }
 
-func (opts *IssuesOptions) Run(ctx context.Context) error {
-	client, remote, err := opts.initClientAndConfig()
+func (opts *IssuesOptions) Run(cmd *cobra.Command, ctx context.Context) error {
+	client, remote, err := opts.initClientAndConfig(cmd)
 	if err != nil {
 		return err
 	}

command/metrics/metrics.go

@@ -87,7 +87,7 @@ func NewCmdMetricsWithDeps(deps *cmddeps.Deps) *cobra.Command {
 		Short: "View repository metrics",
 		Long:  doc,
 		RunE: func(cmd *cobra.Command, _ []string) error {
-			return opts.Run(cmd.Context())
+			return opts.Run(cmd, cmd.Context())
 		},
 	}
 
@@ -116,7 +116,7 @@ func NewCmdMetricsWithDeps(deps *cmddeps.Deps) *cobra.Command {
 	return cmd
 }
 
-func (opts *MetricsOptions) Run(ctx context.Context) error {
+func (opts *MetricsOptions) Run(cmd *cobra.Command, ctx context.Context) error {
 	var cfgMgr *config.Manager
 	if opts.deps != nil && opts.deps.ConfigMgr != nil {
 		cfgMgr = opts.deps.ConfigMgr
@@ -142,9 +142,10 @@ func (opts *MetricsOptions) Run(ctx context.Context) error {
 		client = opts.deps.Client
 	} else {
 		client, err = deepsource.New(deepsource.ClientOpts{
-			Token:            cfg.Token,
-			HostName:         cfg.Host,
-			OnTokenRefreshed: cfgMgr.TokenRefreshCallback(),
+			Token:              cfg.Token,
+			HostName:           cfg.Host,
+			InsecureSkipVerify: cmdutil.ResolveSkipTLSVerify(cmd, cfg.SkipTLSVerify),
+			OnTokenRefreshed:   cfgMgr.TokenRefreshCallback(),
 		})
 		if err != nil {
 			return err