Introducing Dependency Search

At Socket, our journey began with a clear and pressing mission: Make Open Source Safer. We've always believed in the power of open source, but it was frustrating to see how dependency security tools failed to address the real threats faced by developers. Their methods were imprecise, noisy, and reactive, often leaving developers in the lurch.

We set out to change that.

Our customers, including Figma, Vercel, and one of Canada's largest telecoms, have shown us that the need for a proactive and precise tool is real. They love Socket for its ability to provide visibility, defense-in-depth, and proactive supply chain protection for their JavaScript and Python dependencies. What sets us apart is our commitment to helping developers and security teams ship faster and spend less time on security busywork.

Introducing Organization-Wide Dependency Search#

Today, we're excited to announce the launch of Dependency Search, a new feature that gives you visibility into your open source dependencies. With Dependency Search, you can query across your entire codebase to find out if you're using a specific dependency.

Here's how it works:

Dependency Search offers:

• Real-time search capabilities across your entire codebase, ensuring you always have access to the latest dependency data.
• Powerful query features, from package name searches to intricate ecosystem and version specific queries.
• Historical Software Bill of Materials (SBOM) data, letting you track changes and trends over time.

Simply put, it's a tool designed to empower developers with the insights they need, when they need them.

Ways to Use Dependency Search#

Find Malware

Ever read a news piece about a compromised dependency and felt a shiver run down your spine? With Dependency Search, you can quickly check if you're using that specific package version across every repo in your organization. Confirm in moments that you haven't been affected, and sleep a little easier at night.

Detect Undisclosed Vulnerabilities

If you've ever been contacted privately about a potential vulnerability, you'll know the challenge: traditional SCA tools, which rely on publicly disclosed vulnerabilities (CVEs), can't detect whether you're using a dependency with those undisclosed risks. With Dependency Search, you gain the power to proactively spot packages that harbor privately-reported vulnerabilities. Rather than resorting to crafting your own solution or, even riskier, waiting for a public CVE disclosure, Dependency Search equips you with the immediate insights you need.

Operationalize SBOMs

The White House's directive on SBOMs emphasized their importance in software transparency. Sadly, few companies even collect SBOMs, let alone utilize them productively. Socket's Dependency Search isn't just about collecting these SBOMs but also providing actionable insights, thereby truly operationalizing them for your benefit.

Conclusion#

The launch of Dependency Search is just one of our recent announcements. This week, we also announced our $20M Series A funding, Go support, and a new Socket Chrome extension! We're committed to continuous innovation to make open source safer for everyone.

To experience the power of Dependency Search and other Socket features, install Socket for GitHub today. We're excited to see how you'll use these tools to improve your open source security.