You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Back
Product

Announcing Precomputed Reachability Analysis in Socket

Socket’s precomputed reachability slashes false positives by flagging up to 80% of vulnerabilities as irrelevant, with no setup and instant results.

Announcing Precomputed Reachability Analysis in Socket

Martin Torp

July 30, 2025

Every security team knows the frustration: your dependency scanner flags hundreds of vulnerabilities, but most of them don't actually affect your application. You're drowning in false positives while real threats might slip through unnoticed.

That's where reachability analysis comes in: it determines whether CVEs in your dependencies can actually be exploited in your application. When done right, it can flag around 60-80% of all CVEs as irrelevant, letting you focus on what truly matters.

Today, we're excited to announce Socket's game-changing approach: precomputed reachability analysis.

What Makes Precomputed Reachability Different?#

Traditional reachability analysis requires significant setup: Installing agents in production, running lengthy CI scans, or granting access to your source code. It's powerful but cumbersome.

Socket's precomputed reachability takes a radically different approach. We analyze reachability using only your manifest files (package-lock.json, requirements.txt, pom.xml, etc.), making it:

  • Instant: Results are precomputed and cached for popular dependencies, so they're available immediately
  • Zero-overhead: No additional scans, no agents, no performance impact
  • Privacy-preserving: We never need access to your source code

So why does this work? When a transitive dependency has a vulnerability, we can often prove it's unreachable by analyzing just the dependency tree. If no other dependencies in the chain of dependencies that lead to the vulnerable package actually use the vulnerable code, then the application code can't reach it either.

No Additional Setup Required

Socket is the first to offer reachability analysis that works directly from manifest files with zero additional setup. If you're already using the Socket GitHub app, CLI, or API, you're ready to go; the analysis runs automatically as part of your normal scans.

This approach is a game changer for teams that have previously struggled with difficult-to-setup reachability analyses from competitors.

Built on World-Class Research

Our reachability technology comes from Coana, a company Socket acquired earlier this year. Coana was spun out from a university research group, led by professor Anders Møller who now leads research at Socket, with over a decade of pioneering work in static analysis.

This deep expertise ensures our reachability engines deliver highly accurate, trustworthy results. Socket’s reachability analyses can reason accurately about language features that have historically been difficult for other static analyses to handle accurately: for example, dynamic property reads and writes in JavaScript and reflection in Java.

Broad Language Coverage

Socket’s precomputed analysis currently supports:

  • JavaScript
  • Python
  • JVM languages, e.g., Java, Scala, and Kotlin
  • .NET languages, e.g., C# and F#
  • Go

Ruby and Rust support is coming in Q3.

Socket's Precomputed Reachability Has Already Been Proven in Production

One of our Fortune 50 customers signed a 3-year deal with a competing vendor but couldn’t deploy it. During the Socket POC, we delivered real, meaningful results that far outperformed the incumbent. They switched to Socket immediately after seeing the difference. This is a testament to our battle-tested technology and obsessive focus on delivering measurable security outcomes for our customers.

Available Today

Precomputed reachability analysis is available now for all Socket Team and Enterprise customers. No configuration is needed—just run your scans as usual and see the results.

How Reachability Appears in the UI#

A new CVE Reachability section on the Alert modal tells you the reachability of a CVE:

If the analysis found the vulnerability to be maybe reachable, it provides an exact trace from the dependency where the vulnerability is in use to the vulnerable function.

Use the filter to quickly identify the reachable vulnerabilities:

New Control for Unreachable CVEs

By default, unreachable CVEs will appear with the "monitor" action instead of "block" or "warn". You can also disable this functionality in your organization's settings. This gives teams more flexibility while still keeping visibility into potential risks.

What's Next: Even More Powerful Analysis#

While precomputed reachability will be transformative for many teams, we're not stopping there. Tier 2 delivers instant, high-confidence results with 'maybe reachable' as its top severity, ensuring you’re never misled by false positives. For definitive reachability insights, Tier 1 goes deeper by analyzing your actual application code.

Later in Q3, we'll release our Tier 1 reachability analysis for teams that need maximum coverage. This enhanced analysis:

  • Scans both your application code and dependencies
  • Determines the reachability of CVEs in both direct and transitive dependencies
  • Can classify over 80% of vulnerabilities as unreachable
  • Combines an unprecedented level of accuracy with transparency, marking any cases where reachability can’t be confirmed as "unknown" rather than risking false positives.

With this full application reachability, teams can confidently dismiss about 80% of vulnerabilities as non-issues, and in some ecosystems, the noise reduction rate exceeds 90%. Tier 3, which we launched first, can also analyze the reachability of all supply chain alerts, not just CVEs.

Try Reachability in your dashboard today, and visit our Reachability Analysis docs to see a full breakdown of features, tiers, and get more details about what's coming next on our roadmap.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a Demo

Related posts

Back to all posts