Product
Bret Comnes
July 26, 2022
Today, we're shipping 3 important improvements for the Socket Github app!
When we launched Socket for GitHub 1.0, we quietly added a useful new feature called Project Health Reports which give you an overview of all dependencies (direct and transitive) found in your repository.
Project Health Reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use them to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
When we added support for Project Health Reports alongside our existing Pull Request Alerts, we reported the status of these two tasks in a single check run (the status indicator that shows up above the merge button in a pull request):
After gathering feedback from our 1.0 launch, we are separating out these two reports into individual check runs. Now you will see two check run status lines in PRs.
Here's how it looks:
This has a number of benefits:
To summarize:
Pull Request Alerts highlight any new critical issues that the pull request would directly introduce to the project if it were to be merged.
Pull Request Alerts look at the simulated result of merging the pull request branch into the target branch and detect changes from that context. These alerts take the form of a check run status, check run details page, and a comment left in your pull request discussion thread.
Project Health Reports provide an overview of all of dependencies (direct and transient) found in your repository for a given commit.
These reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use it to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
This dual check pattern is very similar to how GitHub Actions can run your tests in a push and pull_request event context in order to validate changes to a branch directly, as well as preview the results of merging the pull request.
Along with finer-grained check runs, we're releasing finer-grained (and always optional) settings in our socket.yml file.
These are the new settings we support:
pullRequestAlertsEnabled: Enable or disable pull request alerts (comments and check runs).projectReportsEnabled: Enable or disable project report generation and the associated check run.You can read more about these in the docs.
We are working diligently to improve the reliability and observability of our report generation pipeline and will be silently rolling out a number of backend changes that should improve report success rates over the next few weeks.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.