August 26, 2022
Today, we're excited to announce the ability to dismiss Socket pull request alerts from within GitHub. We call this feature "Bot Commands" and it's available to all Socket users starting today.
To dismiss a Socket pull request alert, simply leave a comment on the Pull Request in the following form:
@SocketSecurity ignore [email protected]
When you leave a comment like this, Socket will re-analyze your project and update the GitHub check run, while ignoring the packages mentioned in the comment (
[email protected] in the example above).
Deleting the comment will un-ignore the mentioned packages, and editing the comment will re-run the report with whatever the new ignore comment is.
You can ignore multiple packages at once by separating them with a space:
@SocketSecurity ignore [email protected] [email protected]
That's the quick summary of Socket Bot Commands. Now let's dive into the details.
Like all good questions, the first part of the answer tends to be "It depends!".
On the other hand, if you add or update a package that introduces an Install Script or Native Code you should take a quick moment to audit the source code of the package to make sure it's not doing anything malicious.
Finally, if you add or update a package which collects Telemetry, then you can follow the instructions in the pull request alert to disable the offending package behavior, i.e. stop the collection of telemetry, in your app.
The presence of a Socket pull request alert marks the GitHub Check run as failed, ensuring that attention is drawn to the surfaced issues, malignant or benign.
Previously, if there was an alert, you could merge the PR anyway, and future reports would no longer raise the alert in any other PRs.
However, this required merging a PR that had a check run step marked with a red ❌. If you have protected branch rules enabled, or enforce a merge policy that requires all GitHub Checks to pass with a green ✅, then PRs containing Socket alerts could not move forward without some kind of administrative override.
With the new Bot Commands we're releasing today, you can tell Socket that you are not concerned about the alerts associated with a given dependency, and Socket will re-analyze the PR while ignoring those issues, allowing the Socket pull request alert to pass with a green ✅.
This provides a transparent way to 'accept' the alert prior to merging, and keeps your merged commit check runs green.
We hope this improves your pull request workflow when dealing with dependency updates and will allow is to build even better auditing tools for you and your team going forward!
To use Bot Commands, Socket requires a new read-only permission to "Issues". This allows Socket to read pull request comments in order to process them for potential Bot Commands. You will need to grant this permission in order to use this feature.
To learn more, please see our documentation.
As always, please continue to share your feature requests with us! We love building new features that make your developer experience better.