Martin Torp
July 30, 2025
Every security team knows the frustration: your dependency scanner flags hundreds of vulnerabilities, but most of them don't actually affect your application. You're drowning in false positives while real threats might slip through unnoticed.
That's where reachability analysis comes in: it determines whether CVEs in your dependencies can actually be exploited in your application. When done right, it can flag around 60-80% of all CVEs as irrelevant, letting you focus on what truly matters.
Today, we're excited to announce Socket's game-changing approach: precomputed reachability analysis.
Traditional reachability analysis requires significant setup: Installing agents in production, running lengthy CI scans, or granting access to your source code. It's powerful but cumbersome.
Socket's precomputed reachability takes a radically different approach. We analyze reachability using only your manifest files (package-lock.json, requirements.txt, pom.xml, etc.), making it:
So why does this work? When a transitive dependency has a vulnerability, we can often prove it's unreachable by analyzing just the dependency tree. If no other dependencies in the chain of dependencies that lead to the vulnerable package actually use the vulnerable code, then the application code can't reach it either.
Socket is the first to offer reachability analysis that works directly from manifest files with zero additional setup. If you're already using the Socket GitHub app, CLI, or API, you're ready to go; the analysis runs automatically as part of your normal scans.
This approach is a game changer for teams that have previously struggled with difficult-to-setup reachability analyses from competitors.
Our reachability technology comes from Coana, a company Socket acquired earlier this year. Coana was spun out from a university research group, led by professor Anders Møller who now leads research at Socket, with over a decade of pioneering work in static analysis.
This deep expertise ensures our reachability engines deliver highly accurate, trustworthy results. Socket’s reachability analyses can reason accurately about language features that have historically been difficult for other static analyses to handle accurately: for example, dynamic property reads and writes in JavaScript and reflection in Java.
Socket’s precomputed analysis currently supports:
Ruby and Rust support is coming in Q3.
One of our Fortune 50 customers signed a 3-year deal with a competing vendor but couldn’t deploy it. During the Socket POC, we delivered real, meaningful results that far outperformed the incumbent. They switched to Socket immediately after seeing the difference. This is a testament to our battle-tested technology and obsessive focus on delivering measurable security outcomes for our customers.
Precomputed reachability analysis is available now for all Socket Team and Enterprise customers. No configuration is needed—just run your scans as usual and see the results.
A new CVE Reachability section on the Alert modal tells you the reachability of a CVE:
If the analysis found the vulnerability to be maybe reachable, it provides an exact trace from the dependency where the vulnerability is in use to the vulnerable function.
Use the filter to quickly identify the reachable vulnerabilities:
By default, unreachable CVEs will appear with the "monitor" action instead of "block" or "warn". You can also disable this functionality in your organization's settings. This gives teams more flexibility while still keeping visibility into potential risks.
While precomputed reachability will be transformative for many teams, we're not stopping there. Tier 2 delivers instant, high-confidence results with 'maybe reachable' as its top severity, ensuring you’re never misled by false positives. For definitive reachability insights, Tier 1 goes deeper by analyzing your actual application code.
Later in Q3, we'll release our Tier 1 reachability analysis for teams that need maximum coverage. This enhanced analysis:
With this full application reachability, teams can confidently dismiss about 80% of vulnerabilities as non-issues, and in some ecosystems, the noise reduction rate exceeds 90%. Tier 3, which we launched first, can also analyze the reachability of all supply chain alerts, not just CVEs.
Try Reachability in your dashboard today, and visit our Reachability Analysis docs to see a full breakdown of features, tiers, and get more details about what's coming next on our roadmap.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.
Product
Socket is launching experimental protection for Chrome extensions, scanning for malware and risky permissions to prevent silent supply chain attacks.
