Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Product

Customize your GitHub Issue Alerts

Socket for GitHub has added the option to customize which issue alerts your pull request receives.

Customize your GitHub Issue Alerts

Bret Comnes

November 8, 2022


Today, we're excited to launch customizable pull request alerts!

This feature allows developers to detect 70+ issues in open source packages—including supply chain, quality, maintenance, and license issues—directly from their GitHub workflow.

With our release today, teams can create an open source dependency policy that works best for their team and development style, factoring in what is most important for their own apps.

By default, Socket for GitHub alerts developers about the most important supply chain risk signals—typo squats, install scripts, telemetry, malware, protestware, and more.

For example, if a dependency you've been using for years suddenly adds a risky install script – a technique used by the majority of malware – Socket will detect it and let the developer and security team know in real-time.

Or, maybe a package no longer has an active author account because they or npm has deleted it. Socket will let you know.

Or, if a package uses a bin script confusion attack, which the Socket team recently shed light on, then Socket will let you know.

But, say that you don't care about specific threats – protestware, or native code – and don't want to be alerted when new or updated dependencies contain these issues. Whatever the reason, you are now able to individually toggle issues types from a socket.yml file in the root of your project repos.

Socket is designed to preemptively bring attention to the open source security and quality issues that matter most to your team. As always, our goal is to help developers can ship faster and spend less time on security busywork.

How to configure Socket alerts#

It's super easy to control which issues Socket will send you alerts for. Just create a socket.yml file in the root of your project:

# socket.yml

issues:
  gitDependency: false # disable git dependency alerts
  missingAuthor: false # disable missing author alerts
  criticalCVE: true # enable ciritcal CVE alerts

In this example, Socket for GitHub will no longer alert you of new Git dependencies or missing author issues, but will alert you about any new dependencies with critical CVEs being introduced, in addition to the default set of issues we enable.

See the full list of categories that are enabled by default in our docs.

Great, I'll turn them all on!

We don't yet recommend turning on all issues yet. Doing so might potentially be very noisy and also generate more data than can be expressed in a GitHub comment. If you are interested in an on-depth overview of all issues in your project, we still recommend looking at the project health report generated along side your pull request alerts which will contain the same data plus a whole lot more.

Ideally you will never need to disable issue types in your alerts, but now if you need to, the tools to do so are available. This is the first feature in a line of features we are adding that allow teams to fine tune the information we surface in pull request alerts.

Stay tuned for more update soon, and have fun customizing Socket!

Developers: If you haven't yet, install Socket’s free GitHub app which takes just a few minutes to install, and get protected today!

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc