Introducing Enhanced Alert Actions and Triage Functionality

We're thrilled to publicly announce our recently soft-launched enhancement to the Socket alert system: expanded alert actions and alert triage functionality. These features, which some of you have already started exploring, offer greater control and flexibility in managing alerts across your organization.

Let's take a closer look at the new features below.

Four Alert Actions: Block, Warn, Monitor, and Ignore

Our expanded alert system now offers four distinct actions, each designed to give organizations precise control over how to handle notifications. Before we dive into the new options, let's recap our existing alert actions:

• Ignore: This action allows you to filter out alerts that aren't relevant to your organization.

• Error: Our original high-severity action that blocks CI/CD checks and requires resolution before proceeding.

Building on this foundation, we've introduced two new actions so that we now have:

• Block (formerly "Error"): Reserved for the highest confidence and severity alerts, the "Block" action fails the Socket CI/CD check, effectively blocking Pull Requests (PRs) or Merge Requests (MRs) until the alert is resolved. Alerts with this action are visible across all Socket interfaces and integrations.
• Warn: The "Warn" action is ideal for alerts you trust and need to act on. These alerts appear in your PRs or MRs (without blocking them), the Socket Dashboard, and through any integrations you've set up. It's the right choice when you want to highlight issues without halting development. This middle ground allows teams to make informed, context-specific decisions about whether to proceed or investigate further, recognizing that security isn't always black and white.
• Monitor: Perfect for alerts you're still evaluating, the "Monitor" action displays alerts in the Socket Dashboard, including the organization-wide alerts page and reports. This allows you to keep an eye on potential issues without cluttering your development workflow.
• Ignore: This action remains unchanged, allowing you to completely filter out alerts that aren't relevant to your project. Alerts set to "Ignore" won't appear in pull requests (PRs), merge requests (MRs), or anywhere else in the Socket platform, including the Dashboard's Organization Alerts and Reports.

No migration steps are needed on your part. Aside from "Error" being renamed to "Block", there is no change in behavior if you continue to use your existing security policy, with the added benefit of access to our new, more granular alert actions.

You should have started seeing a new "CI" column in the comments left by the Socket GitHub bot, with the icons signaling whether the respective alert's action is set to "Block" (🚫) or "Warn" (⚠︎).

The expanded actions will help you prioritize and categorize Socket alerts more effectively. Use "Warn" to highlight potential concerns while maintaining development velocity when appropriate by not failing CI checks. You can change the settings for any of the supported alert types on your organization's security policy page:

For more information and the full list of the default enabled alerts, please consult our documentation.

Using Alert Triaging

Complementing these alert actions is our new triage system. This powerful and frequently requested feature allows you to override the default alert action set in your Security Policy for individual alerts inside your organization's alerts table.

To give a concrete example, if your security policy sets "AI detected potential malware" alerts to "Block", but you encounter a false positive, you can now change that specific alert's action to "Ignore". This will have the following impact:

• It removes the alert from the default Org Alert Table view

• Excludes it from future report runs

• Re-runs checks in open PRs affected by this alert (coming soon)

You can always go back and keep the behavior of your Security Policy by simply changing the alert's action to "Inherit" - which is the default behavior for all alerts.

To start using this feature today, go to your organization's alert table, click on any alert and you will see a new button at the top right corner of the sidebar. This button will let you change the action of the selected alert via a dropdown.

This granular control enables you to maintain strict security policies while accommodating necessary exceptions. It significantly reduces alert noise by allowing you to hide old, investigated alerts or manage false positives effectively. Once an alert has been thoroughly investigated and addressed, you can triage it to "Ignore", keeping your alert dashboard focused on new, actionable items without losing the historical record.

The triage system also supports a more balanced security approach. Not all alerts necessitate stopping the entire CI/CD process. Development teams can move forward with their work while remaining aware of potential issues, and security teams can ensure that all concerns are visible without unnecessarily impeding progress.

Upcoming Improvements

We're excited to announce that we'll soon be shipping new default security policies with improved alert settings. These new defaults will leverage our expanded alert actions to provide a more nuanced and effective security posture out of the box. Of course, you'll still have the ability to further customize these policies to suit your specific needs!

We Value Your Feedback

As always, your feedback and insights are invaluable to us. If you've been using these new features, we'd love to hear about your experience. How have they impacted your workflow? Are there additional capabilities you'd like to see?

Thank you for your continued trust in Socket. We're committed to evolving our platform to meet your security needs, and we look forward to seeing how these enhancements contribute to your development process.

Happy coding, and stay secure!