Product
Feross Aboukhadijeh
March 1, 2023
Exactly one year ago we announced Socket, a simple, developer-friendly GitHub App that protects your JavaScript apps from software supply chain attacks. Since then, thousands of organizations have adopted Socket – including Vercel, Brave, BBC, Expo, Storybook, Replit, Metamask – and many more.
Today, we are incredibly excited to announce that Socket now supports Python!
Python is one of the most popular programming languages in the world, with millions of developers using it for everything from data science to web development. However, like all open source software, Python packages are vulnerable to supply chain attacks.
Over the past year, we've seen a sharp rise in supply chain attacks targeting PyPI. Attackers have taken notice of the opportunity to attack organizations through PyPI dependencies. That's why we've been working incredibly hard to ensure Socket offers best-in-class protection for teams that build with Python.
To get started with Socket for Python, you can install the Socket GitHub App. It takes less than five minutes to add Socket protection to all of your Python projects.
Socket has robust support for the most popular ways to declare Python dependencies, including:
piprequirements files (e.g. requirements.txt)setup.pypipfilepyproject.toml (standardized by PEP 518, PEP 517, PEP 621 and PEP 660)poetry setup-toolspdmflit With the addition of Python to our list of supported languages and ecosystems, you can now easily audit, manage, and secure your Python packages with Socket. You can see a demo of a few Python dependency configurations supported by Socket in our demo repo: SocketDemo/avatar_diffusion (and while you're at it, you'll get to try out Stable Diffusion generative AI!)
Developers and security teams always tell us how much they love Socket's proactive security, easy installation process, and comprehensive open source protection. And with the addition of Python support, we're even better equipped to help developers and security teams work together to securely use and maintain OSS within their organizations.
One of the most-loved features of Socket is the quick, easy installation. Socket's GitHub App can be installed in 2 minutes, giving you instant protection and peace of mind.
And once you've installed Socket, you can rest easy knowing that we are automatically monitoring your Python packages for any potential security risks, preventing compromised or hijacked packages from infiltrating your supply chain by monitoring changes to dependencies in real-time.
At Socket, we believe in proactively detecting and preventing supply chain attacks before they cause damage. With the addition of Python support, we hope to offer this level of protection to even more organizations and teams.
To help illustrate how Socket works, here is an example of Socket helping a developer who accidentally installed requests5 instead of requests – an easy typo for a busy developer to make:
For this initial Python release, we support detecting the most common supply chain attack - typosquatting. We plan to quickly expand the list of supported Python issues to encompass the full 70+ issues that we support for npm in the coming weeks and months.
Most "vulnerability scanning" tools merely look up the packages you're using to see if any vulnerabilities have been reported to public CVE databases, an approach that is noisy and riddled with false positives.
Socket takes an entirely new approach. Socket uses "deep package inspection" to peel back the layers of a dependency and characterize its actual behavior. This allows us to detect and block likely supply chain attacks before they strike, mitigating the worst consequences.
With Socket, you don't have to worry about alert fatigue or wasting time sifting through piles of meaningless alerts. By default, Socket only alerts you on the most critical security issues – potential supply chain attacks, known malware, typosquats, and other similarly severe issues.
This means you can focus on what matters most – building great software – while Socket takes care of the security side of things.
Developers can use the free socket.dev package search tool to quickly evaluate the security and health of any PyPI package.
When you start your package search on socket.dev, you will get proactive information when you're about to use a malicious or risky package. Socket detects 70+ red flags in open source code, including malware, typo-squatting, hidden code, misleading packages, excessive permissions (filesystem, network, environment variables), and more.
Here is an example that illustrates the power of using socket.dev instead of default search tools at npmjs.com or pypi.org. Look at the wealth of information not available in the default search tools:
We're working on providing the same extensive information (including Socket security data) for PyPI packages as we do for npm packages. In the meantime, we've taken the first step by supporting PyPI packages on the Socket website. For example, see the pages for numpy and requests.
But Socket isn't just about preventing security risks going forward. We also have offer a Project Health Report, which gives you visibility into the open source security issues present in your repositories today. This means you can retroactively remediate existing issues and ensure that all of your open source dependencies are as secure as possible.
At Socket, we're committed to making open source software safe for everyone. That's why we're constantly expanding our capabilities and adding support for new ecosystems. With today's release of Python support, we're taking another step towards that goal, and we're excited to see what our customers will be able to achieve with this new feature.
If you haven't seen it yet, don't miss our recently-released Socket VS Code Extension, Project Health Reports, improved support for npm and Yarn, Organization Dashboards, and SOC 2 Type 2 Compliance.
Finally, there are still a few places where we hope to improve our Python support for certain lesser-users setups:
pip JSON lockfile support (pipfile.lock) – don't worry pip-compile output works!hatch package manager specific files (hatch.toml)setup-tools specific files (setup.cfg)If you use one of the above in your setup and want early access, please schedule a demo and our team will make sure Socket works with your exact Python setup.
If you want to try out Socket with Python support, you can install the GitHub App in less than 2 minutes.
We're here to help you keep your open source software secure, no matter what language or package manager you're using. Stay tuned for more language support soon, and vote for the language you would like to see next!
If you have any questions or feedback, please don't hesitate to reach out to our dedicated support and engineering team. If you would like to chat with someone on our team, you can schedule a demo with a technical expert.
Happy hacking!
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.
Security News
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.