Today, we're shipping 3 important improvements for the Socket Github app!
Finer-grained GitHub check runs#
When we launched Socket for GitHub 1.0, we quietly added a useful new feature called Project Health Reports which give you an overview of all dependencies (direct and transitive) found in your repository.
Project Health Reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use them to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
When we added support for Project Health Reports alongside our existing Pull Request Alerts, we reported the status of these two tasks in a single check run (the status indicator that shows up above the merge button in a pull request):
After gathering feedback from our 1.0 launch, we are separating out these two reports into individual check runs. Now you will see two check run status lines in PRs.
Here's how it looks:
This has a number of benefits:
- Finer-grained check runs (useful for setting finer-grained branch protection rules).
- More reliable reporting.
- Ability to enable/disable Project Health Reports or Pull Request Alerts individually.
- Run project reports on any commit (coming soon).
To summarize:
Pull Request Alerts highlight any new critical issues that the pull request would directly introduce to the project if it were to be merged.
Pull Request Alerts look at the simulated result of merging the pull request branch into the target branch and detect changes from that context. These alerts take the form of a check run status, check run details page, and a comment left in your pull request discussion thread.
Project Health Reports provide an overview of all of dependencies (direct and transient) found in your repository for a given commit.
These reports help security teams or developers get a pulse on the existing security risks detected in a GitHub repository. You can use it to answer questions such as "which of my dependencies uses an install script?" or "which of my dependencies accesses the network?".
This dual check pattern is very similar to how GitHub Actions can run your tests in a push
and pull_request
event context in order to validate changes to a branch directly, as well as preview the results of merging the pull request.
New configuration options#
Along with finer-grained check runs, we're releasing finer-grained (and always optional) settings in our socket.yml
file.
These are the new settings we support:
pullRequestAlertsEnabled
: Enable or disable pull request alerts (comments and check runs).projectReportsEnabled
: Enable or disable project report generation and the associated check run.
You can read more about these in the docs.
Improved reliability#
We are working diligently to improve the reliability and observability of our report generation pipeline and will be silently rolling out a number of backend changes that should improve report success rates over the next few weeks.
Install Socket and get protected today!