Introducing Organization Alerts: See Your Dependency Risks Across All Repositories

We're thrilled to announce that our most-requested-feature-by-far is finally here: Organization Alerts. This new feature is a game-changer for security teams, providing a comprehensive view of all risks across your organization’s repositories – even if you have hundreds of thousands of dependencies across thousands of repositories.

Every Alert, From Everywhere, All at Once#

Organization Alerts is our way of making your dependency security risks clearer and more manageable than ever before. They're the evolution of our previously launched Project Health Reports 1.0, but now offering a broader perspective.

Our existing Project Health Reports offer insights into the risks within a single repository. Our newly launched Organization Alerts take this a step further by enabling teams to monitor risks across all repositories within the organization.

Imagine having the ability to see every risk, in every repo, all in one place – that’s the power of Organization Alerts.

We know your time is precious. So we built an information-dense table view that shows everything that matters for each alert. We invested significant engineering effort to ensure that the performance is blazing fast, even if your organization has hundreds of thousands of dependencies across thousands of repositories, as many of our customers have.

Filter, Group, and Drill Down Like a Pro#

We know each team has unique needs, so we've built robust filtering and grouping options. Want to zero in on specific repositories or alert severities? Easy. Curious about only supply chain risks or license issues? You got it. Group alerts by severity, category, or even package – you're in control. providing a tailored view that aligns with your team’s priorities.

In-Depth Alert Details#

Clicking on an alert reveals a world of detailed information. You’ll see comprehensive details specific to that alert type, including every repository within your organization that is affected. This feature brings clarity and specificity to vulnerability management, ensuring you’re always informed and ready to act.

Real-Time Organization-Wide Visibility#

If you're using Socket for GitHub, you'll see a live-updating view of all alerts present in the default branch of every repository in your organization. (Note: If you've enabled Socket on only some of your repositories, then you'll only see alerts for those repositories.)

CLI and API users can also use Organization Alerts by submitting their manifest files through the Dependency API. This will include your data in both the Organization Alerts and Dependency Search features. And yes, the classic Project Health Report view for single repositories is still there for you.

Improving Dependency Search: A Big Upgrade in Today's Release#

As part of today’s release, we're also excited to announce a significant enhancement to the Dependency Search feature. Previously, to populate Dependency Search, you needed to manually upload manifest files, such as package.json, requirements.txt, or go.mod, through the Socket API. Without this step, your Dependencies table would remain empty, and you'd potentially miss critical insights.

Dependency Search has always been a powerful tool, providing visibility over the open source dependencies used across your organization. It enables you to search in real-time across your entire codebase, identifying specific dependencies and uncovering potential risks. Whether it’s finding malware, detecting undisclosed vulnerabilities, or operationalizing SBOMs, Dependency Search has been a game-changer for many of our customers.

But now, we're taking it a step further. For those using Socket for GitHub, we have great news! We’re now automatically tracking every dependency listed in every manifest file across all repositories in your organization. At this time, we only track the default branch within each repository.

This enhancement eliminates the need for manual uploads, streamlining your workflow.

With this significant upgrade to Dependency Search, combined with the launch of Organization Alerts, we’re reinforcing our commitment to providing you with the most comprehensive tools to manage your open source security.

What’s Next#

Organization Alerts will be rolling out to all Socket users over the next few days. Existing users can explore this new feature right away in the Socket dashboard. If you're new, getting started with Socket is as simple as installing Socket for GitHub or Socket CLI – it only takes two clicks.

We believe that Organization Alerts will massively improve how you view your Socket alerts across your organization, especially if you have hundreds or thousands of repositories in your organization.

But we're not finished yet. Here's what we're working on next:

• The current version of Organization Alerts displays every Socket alert in your dependencies, regardless of whether that Alert Type is enabled in your Security Policy. We'll be fixing this in a future update.
• We’ll be adding functionality for security teams (and developers!) to mark alerts as acceptable risks, false positives, and more.

Your feedback is crucial to us. If there’s a feature you desire, please submit your suggestions or contact us directly. If you're an enterprise customer or considering becoming one, we’d love to discuss your needs.

We're so excited to finally ship this much-requested feature and can't wait to keep shipping useful developer-first security tools to you in 2024 and beyond!