Bret Comnes
November 8, 2022
Today, we're excited to launch customizable pull request alerts!
This feature allows developers to detect 70+ issues in open source packages—including supply chain, quality, maintenance, and license issues—directly from their GitHub workflow.
With our release today, teams can create an open source dependency policy that works best for their team and development style, factoring in what is most important for their own apps.
By default, Socket for GitHub alerts developers about the most important supply chain risk signals—typo squats, install scripts, telemetry, malware, protestware, and more.
For example, if a dependency you've been using for years suddenly adds a risky install script – a technique used by the majority of malware – Socket will detect it and let the developer and security team know in real-time.
Or, maybe a package no longer has an active author account because they or npm has deleted it. Socket will let you know.
Or, if a package uses a bin script confusion attack, which the Socket team recently shed light on, then Socket will let you know.
But, say that you don't care about specific threats – protestware, or native code – and don't want to be alerted when new or updated dependencies contain these issues. Whatever the reason, you are now able to individually toggle issues types from a socket.yml file in the root of your project repos.
Socket is designed to preemptively bring attention to the open source security and quality issues that matter most to your team. As always, our goal is to help developers can ship faster and spend less time on security busywork.
It's super easy to control which issues Socket will send you alerts for. Just create a socket.yml file in the root of your project:
# socket.yml
issues:
gitDependency: false # disable git dependency alerts
missingAuthor: false # disable missing author alerts
criticalCVE: true # enable ciritcal CVE alertsIn this example, Socket for GitHub will no longer alert you of new Git dependencies or missing author issues, but will alert you about any new dependencies with critical CVEs being introduced, in addition to the default set of issues we enable.
See the full list of categories that are enabled by default in our docs.
We don't yet recommend turning on all issues yet. Doing so might potentially be very noisy and also generate more data than can be expressed in a GitHub comment. If you are interested in an on-depth overview of all issues in your project, we still recommend looking at the project health report generated along side your pull request alerts which will contain the same data plus a whole lot more.
Ideally you will never need to disable issue types in your alerts, but now if you need to, the tools to do so are available. This is the first feature in a line of features we are adding that allow teams to fine tune the information we surface in pull request alerts.
Stay tuned for more update soon, and have fun customizing Socket!
Developers: If you haven't yet, install Socket’s free GitHub app which takes just a few minutes to install, and get protected today!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
Security News
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.