Pelle Wessman
November 17, 2022
Today, Socket helps tens of thousands of developers to ship faster and spend less time on security busywork by helping them safely find, audit, and manage open source software at scale. Most developers use Socket through our popular GitHub integration – Socket for GitHub – and they love it!
But what if you use another source code management system like GitLab or BitBucket? Or what if you want to integrate Socket into custom test or CI scripts? Or what if you just like using the command line?
That's why we're so excited to preview a brand new way to use Socket today. Introducing the Socket CLI Preview!
In this preview release of the Socket CLI, we are shipping a subset of the commands that we aim for in our 1.0 release. Some would call it a beta, but the commands we support today already work well, so we call it a preview.
"Wait? You're releasing an unpolished beta-style tool? Can we do that in an Apple-esque world of polished experiences?"
We're developers. You're developers. We commit early, we commit often, we iterate, and we know that nothing can ever be fully complete. Everything can always be rewritten and improved – if we wait for it to be "complete" then we'll never ship. To build the best tool, we know we need to dogfood and gather community feedback.
Community feedback: That's you. Hi 👋
In this very first release we present you two commands:
socket report create – this is the star of the show here. It enables you to create a Project Health Report on Socket for your project's dependencies. Running this command will upload just your package.json and package-lock.json files – we of course don't want your source code or other sensitive files. You can use this command to automate Socket in your CI, no matter if you use GitLab, SourceHut, an insane RPi cluster or something else. And you of course can use it manually as well.socket info webpack@5.75.0 – this is a glimpse into the next step for the CLI. The info command enables you to look up all the supply chain risks and other package "issues" that Socket has detected for given version of a package. It mainly gives you a short summary, but it already also supports outputting the raw JSON response from our API. For your jq pleasures or others. This truly enables you to build your own tooling. More on that later.A Socket Project Health Report contains a full listing of all package issues present in the project, as well as individual health scores for each package and average scores for the whole project.
There's a lot of incredible information about your packages in here:
socket is a multi-command CLI tool.
The basic socket command does nothing more than giving you some help information, the rest of the magic is in the individual commands.
Our current two commands, report and info, will likely get accompanied by more in the future. On top of that, report in itself is also multi-command and will for sure get more sub-commands going forward.
All commands describe themselves if you ask them using --help and the commands support mostly the same flags:
--dry-run - the socket report create supports running the command without actually uploading anything. All CLI tools that perform an action should have a dry run flag--json - outputs result as json which you can then pipe into jq and other tools--markdown - outputs result as markdown. This can then be copied into GitHub, Linear etc to easily share the result with your colleagues. Useful when you eg. feel the need to create an issue or PR because you found a package with quite a few issues.--debug - outputs additional debug output. Great for debugging, geeks and us who develop. Hopefully you will never need it, but it can still be fun, right?--help - prints the help for the current command. All CLI tools should have this flag--version - prints the version of the tool. All CLI tools should have this flagTo use this preview you need an API key.
We use our new API and SDK in this (announcement to follow) and currently you have to ask us for an API key to get one. Bummer, we know, we're working on a self-service tool at this very moment but didn't want to wait for it.
To get an API key, please book a meeting with the Socket team.
Anyone can install the CLI tool though and explore. It will ask you for the API key and fail if you don't give it one. Install it like this:
Then run it using commands like:
npm install -g @socketsecurity/clisocket --help
socket info webpack@5.75.0
socket report create .
socket report create package.jsonAnd if you don't like to be asked for the API key (lets say you're in a CI environment), then put it in a SOCKET_SECURITY_API_KEY environment variable.
If you want to add it for a local project but don't want to add it globally, then direnv is your friend.
We're committing early and often, iterating, rewriting, and listening to your feedback. We will ship updates to the CLI frequently in the coming weeks in response to your feedback. Give it a star and a watch on GitHub to ensure you're on top of it all.
Next up, we'll be announcing our API and SDK on this blog, and then even more exciting things are in the pipeline!
Get started with the Socket CLI today by running npm install @socketsecurity/cli and let us know what you think!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.