Security teams can enable Socket and let it work without development teams needing assistance to manage issues. The Socket GitHub integration communicates security information directly to developers and helps them to resolve their own problems. Developers are empowered with security information directly where they can act on it. Socket enables developers to resolve security risks and security issues on their own.
If security team members would like to audit the risks within existing dependencies, they can use the Socket Project Health Report to analyze dependencies that are currently in use within a given GitHub repository.
Socket Project Health Report
Unlike Socket Alerts which are sent to developers in real-time, the Project Health Report is used by security teams to understand the holistic supply chain risk of repositories within the organization. This detailed report will provide you with a full list of dependencies in the project, and corresponding issues that Socket detects caused by those dependencies.
Note: Project Health Reports are not meant to be used by developers in a day-to-day way, since they contain a lot of information. Project Health Reports include information on supply chain risks, quality issues, maintenance issues, and license issues that were not directly introduced by that developer in their pull request(s).
How to Filter the Report
Teams can use the options in the left navigation to filter the report data to enhance discovery of issues to focus upon:
You can filter to only issues of a given severity, for example “Critical” and “High” issues, as seen in the image above.
Or, you can filter to only issues of a certain type, for example “Environment variable access” and “Filesystem access”, as seen in the image above.
Project Health Report allows security teams to audit the riskiest behavior in existing dependencies, and to identify possible risks before they become an issue. They also provide a full list of issues that may guide
This is an advanced tool, and teams have often used this to identify dependencies with unacceptable risks that would be good candidates for removal in a longer-term time frame, for example dependencies with the following issues:
- Known Malware
- Protestware/Troll Package
- Install Scripts
It is also possible for projects to configure these issues to avoid noise if they are accepted risk.
How to Navigate the Report
Once acceptable filtering is achieved for a report understanding the causes of issues can also be useful. Socket provides a few helpful view to assist navigating the issues:
Packages that are directly in manifest files directly controlled by the project are available in the “Group by Package“ tab under “Top level packages“ like the image shown above. These are packages that can easily be updated compared to the alternative “Transitive packages“ which are sub-dependencies pulled in by “Top level packages“.
Additionally, navigating by issue may be important as it can help understand all the location that are pulling in an issue to see if it is only caused by a single package or if it is coming from multiple packages.