Security News
How Threat Actors are Abusing GitHub’s File Upload Feature to Host Malware
GitHub is susceptible to a CDN flaw that allows attackers to host malware on any public repository.
By Sarah Gooding - Apr 23, 2024
Socket VSCode Extension
Introducing a VS Code editor integration for Socket Security.
Bradley Meck Farias
January 31, 2023
Developer tooling can be a boon or a pain! We are always looking to alleviate some of the pains of security tooling by innovating and finding out how to inform developers without overloading them.
Developers can spend too much energy finding data about dependencies whenever they get security reports. This burden can come in many ways: one alert too many leading a developer to silence every alert in order to find a way to focus, requiring exiting your dev workflow in order to manually search for data is another! With the launch of the Socket Security VSCode Extension we are delving into a new way to solve this for our users. The extension is published to both the VSCode Marketplace and OpenVSX Registry.
We want to solve the developer experience around these tools which often can overwhelm a developer. With that in mind, we are trying different methods of integrating with existing developer workflows without needing to jump around to see data.
Showing summaries in JavaScript files#
Often while developing we write our code and can sometimes want to know about things like how big is it or a general summary. This data isn't usually shown when you copy/paste. Taking some inspiration from developer favorites around bundle size we are providing a simple overlay for this small summary and a quick view of what is going on.
For some things like typos you will likely see quick info that should help. For other things like trying out a new dependency you can see info before even running an installation. Showing warning or error overlays is configurable in the extension settings.
Showing in depth information about installations#
VS Code has a variety of features meant to handle showing diagnostic issues that may take your attention and need to be fixed. To that end we integrated with that feature and show the lovely little colored squigglies based upon severity of issues we found in your package.json files. These squigglies aren't peppered throughout your code base but always available in the Problems tab of VS Code for quick perusal. Our default stance at Socket is to show concerning issues and not every issue so don't expect it to be overload a developer with problems unless you change the settings of the extension to outside the defaults.
Guide#
We have more information on configuration options and management over in our Guides.
Future Directions#
We will be listening to our users for feedback on the extension and suggestions. Being able to tie information from the extension to organizations and the dashboard is ongoing work.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Related posts
Back to all posts
Security News
The Dark Side of Open Source
At Node Congress, Socket CEO Feross Aboukhadijeh uncovers the darker aspects of open source, where applications that rely heavily on third-party dependencies can be exploited in supply chain attacks.
By Sarah Gooding - Apr 19, 2024
Research
Security News
npm Package for ReExt React Components Library Exfiltrates Git Credentials
The Socket Research team found this npm package includes code for collecting sensitive developer information, including your operating system username, Git username, and Git email.
By Sarah Gooding, Socket Research Team - Apr 18, 2024