GitHub pull requests are where modern software development happens. They’re the core unit of change in most codebases and the perfect place to surface critical information about security risks. That’s why Socket’s GitHub integration is one of the most important parts of our platform. And today, it just got a massive upgrade.

At Socket, we’re on a mission to deliver the highest signal-to-noise information in software supply chain security—at the right time, and in the right context. Our newly redesigned GitHub PR comments are built with this principle in mind: clear, relevant insights exactly where developers need them.

Our user experience research has confirmed what many have long suspected: developers do care about security. But they want actionable information, not noise. They’re happy to be informed of real risks, especially when those risks are directly tied to the code they’re reviewing.

Socket’s GitHub bot inspects every PR submitted to your repo, analyzes any changes to dependencies, and leaves a comment if it detects something worth your attention. There are two types of comments the bot can post, and both have now been completely redesigned. Let’s take a look.

Overview Comment

Whenever the PR makes changes to direct dependencies in the repository, Socket will post a comment that describes the new dependencies in terms of security risks. The renewed comment design now displays each direct dependency and their associated scores in: supply chain security, vulnerability, quality, maintenance, and license.

We’ve learned that developers really appreciate these scores when browsing our publicly-available Package Search pages. They provide a quick assessment of the trustworthiness of a package. If you want more details, we have web dashboard links that allow you to dig deeper. It's important to not overload this table with too much detailed information, because developers need skimmable bot comments.

When there is a version update, we also display the change in each score. In PRs, developers review code added and code changed, and we want the workflow to remain the same, just now applied on dependencies. We show dependencies added and dependencies changed. These scores replace information such as “capabilities” and “byte size”, but we didn’t eliminate that information. You can click on one of these updated dependencies, and you will navigate to our web dashboard, which will show you the capabilities added, removed, or updated, as well as the change in byte size.

Alert Comment

When Socket detects alerts deemed important by your organization’s Security Policy, our bot will comment on the PR too. There are two possible levels to consider: “warnings” and “blocking” alerts. Warnings are just informative and recommend the developer to resolve the alert, but the PR is allowed to be merged. A “Block”, however, prevents the PR from being merged before the alert is resolved.

We designed this carefully to use instructive icons, and not overload the user with too much information. The user can click on an alert title, and full details on that alert will be displayed, including remediation suggestions, and links to learn (a lot) more.

We’d Love Your Feedback#

We took an innovative approach to reduce noise, employing dynamic images and smart use of Markdown, setting a new standard for PR comments in the industry. We hope this exceeds expectations and helps proactively defend your repositories against supply chain risks.

We are thrilled to release this new design to our users and curious to know what you think. Feel free to reach out to customer support to voice your thoughts on how this upgrade fits into your workflow.