
Security News
2023 Ransomware Trends: Rising Ransom Payments Drive Higher Demand for Cyber Insurance
Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.
Bret Comnes
August 26, 2022
Today, we're excited to announce the ability to dismiss Socket pull request alerts from within GitHub. We call this feature "Bot Commands" and it's available to all Socket users starting today.
To dismiss a Socket pull request alert, simply leave a comment on the Pull Request in the following form:
@SocketSecurity ignore foo@1.0.0
When you leave a comment like this, Socket will re-analyze your project and update the GitHub check run, while ignoring the packages mentioned in the comment (foo@1.0.0
in the example above).
Deleting the comment will un-ignore the mentioned packages, and editing the comment will re-run the report with whatever the new ignore comment is.
You can ignore multiple packages at once by separating them with a space:
@SocketSecurity ignore foo@1.0.0 bar@2.0.0
That's the quick summary of Socket Bot Commands. Now let's dive into the details.
One common common question we've received from customers using Socket for GitHub is "What do I do when I receive a Socket alert on on added or updated dependencies?".
Like all good questions, the first part of the answer tends to be "It depends!".
If you happen to install a dependency that Socket reports as Known Malware or a Troll Package, you should consider immediately removing it, or picking a different dependency.
On the other hand, if you add or update a package that introduces an Install Script or Native Code you should take a quick moment to audit the source code of the package to make sure it's not doing anything malicious.
If Socket detects a Potential Typo Squat, you should ensure you actually installed the correct package before dismissing the alert. If you're not sure what to do, you can always ask us for help.
Finally, if you add or update a package which collects Telemetry, then you can follow the instructions in the pull request alert to disable the offending package behavior, i.e. stop the collection of telemetry, in your app.
The presence of a Socket pull request alert marks the GitHub Check run as failed, ensuring that attention is drawn to the surfaced issues, malignant or benign.
Previously, if there was an alert, you could merge the PR anyway, and future reports would no longer raise the alert in any other PRs.
However, this required merging a PR that had a check run step marked with a red ❌. If you have protected branch rules enabled, or enforce a merge policy that requires all GitHub Checks to pass with a green ✅, then PRs containing Socket alerts could not move forward without some kind of administrative override.
With the new Bot Commands we're releasing today, you can tell Socket that you are not concerned about the alerts associated with a given dependency, and Socket will re-analyze the PR while ignoring those issues, allowing the Socket pull request alert to pass with a green ✅.
This provides a transparent way to 'accept' the alert prior to merging, and keeps your merged commit check runs green.
We hope this improves your pull request workflow when dealing with dependency updates and will allow is to build even better auditing tools for you and your team going forward!
To use Bot Commands, Socket requires a new read-only permission to "Issues". This allows Socket to read pull request comments in order to process them for potential Bot Commands. You will need to grant this permission in order to use this feature.
To learn more, please see our documentation.
As always, please continue to share your feature requests with us! We love building new features that make your developer experience better.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
Ransomware payment demands are rising in 2023, driving a higher demand for cyber insurance and an increase in premiums.
Product
Changelog
We just released v0.9.0 of the Socket CLI with some improvements to the socket info command so you can get useful information about an npm package, right in the terminal.
Security News
The financial services sector has been hit by a recent surge of ransomware attacks, disrupting operations at major institutions such as Fidelity National Financial and the Industrial and Commercial Bank of China. These attacks underscore the importance of swift security measures in addressing vulnerabilities on enterprise systems.