Introducing Bot Commands

Today, we're excited to announce the ability to dismiss Socket pull request alerts from within GitHub. We call this feature "Bot Commands" and it's available to all Socket users starting today.

To dismiss a Socket pull request alert, simply leave a comment on the Pull Request in the following form:

@SocketSecurity ignore foo@1.0.0

When you leave a comment like this, Socket will re-analyze your project and update the GitHub check run, while ignoring the packages mentioned in the comment (foo@1.0.0 in the example above).

Deleting the comment will un-ignore the mentioned packages, and editing the comment will re-run the report with whatever the new ignore comment is.

You can ignore multiple packages at once by separating them with a space:

@SocketSecurity ignore foo@1.0.0 bar@2.0.0

That's the quick summary of Socket Bot Commands. Now let's dive into the details.

How should you handle Socket alerts?#

One common common question we've received from customers using Socket for GitHub is "What do I do when I receive a Socket alert on on added or updated dependencies?".

Like all good questions, the first part of the answer tends to be "It depends!".

Remove a package entirely

If you happen to install a dependency that Socket reports as Known Malware or a Troll Package, you should consider immediately removing it, or picking a different dependency.

Take a closer look

On the other hand, if you add or update a package that introduces an Install Script or Native Code you should take a quick moment to audit the source code of the package to make sure it's not doing anything malicious.

If Socket detects a Potential Typo Squat, you should ensure you actually installed the correct package before dismissing the alert. If you're not sure what to do, you can always ask us for help.

Disable the offending package behavior

Finally, if you add or update a package which collects Telemetry, then you can follow the instructions in the pull request alert to disable the offending package behavior, i.e. stop the collection of telemetry, in your app.

Why we're releasing this improvement#

The presence of a Socket pull request alert marks the GitHub Check run as failed, ensuring that attention is drawn to the surfaced issues, malignant or benign.

Previously, if there was an alert, you could merge the PR anyway, and future reports would no longer raise the alert in any other PRs.

However, this required merging a PR that had a check run step marked with a red ❌. If you have protected branch rules enabled, or enforce a merge policy that requires all GitHub Checks to pass with a green ✅, then PRs containing Socket alerts could not move forward without some kind of administrative override.

With the new Bot Commands we're releasing today, you can tell Socket that you are not concerned about the alerts associated with a given dependency, and Socket will re-analyze the PR while ignoring those issues, allowing the Socket pull request alert to pass with a green ✅.

This provides a transparent way to 'accept' the alert prior to merging, and keeps your merged commit check runs green.

We hope this improves your pull request workflow when dealing with dependency updates and will allow is to build even better auditing tools for you and your team going forward!

New permission required#

To use Bot Commands, Socket requires a new read-only permission to "Issues". This allows Socket to read pull request comments in order to process them for potential Bot Commands. You will need to grant this permission in order to use this feature.

To learn more, please see our documentation.

What's next?#

As always, please continue to share your feature requests with us! We love building new features that make your developer experience better.

Install Socket and get protected today!