What's new at Socket?

Staying on top of dependency updates and vulnerability alerts just got a whole lot easier.

Today we're introducing socket fix — a new CLI tool that automatically upgrades vulnerable dependencies with built-in safety checks. No more guesswork, no more breaking changes.

With socket fix, you can:

• Fix vulnerabilities automatically by updating dependencies.
• Run tests during upgrades to ensure updates are safe (--test mode).
• Autopilot upgrades in CI with automatic testing and merging (--autopilot mode).
• Use it locally or in CI with support for npm and pnpm out of the box.

Available now:

• Open beta for all users
• Easy to install: npm i -g socket
• Try it with: socket fix --test
• GitHub Actions template available for CI integration

More package manager support is on the way! Check out the announcement on the blog.

We’ve launched a major upgrade to Socket’s analytics: you can now access 30 days of historical scan data to see how your security posture changes over time.

The revamped Analytics dashboard lets you drill into past alerts, visualize trends, and track how dependencies and risks evolve—day by day. New API endpoints make it easy to export historical alerts and power your own dashboards, reports, or workflows.

Whether you're debugging regressions, tracking long-term improvements, or building internal tools, Historical Analytics gives you the context you've been missing.

Check out the announcement for more details.

We just shipped the first iteration of Module Reachability, a major improvement to how Socket helps you prioritize vulnerabilities that actually matter.

What’s new:

• You can now filter CVEs by used dependencies in the Socket dashboard
• This lets you ignore transitive packages that your application doesn’t import or call
• The result? We're a significant reduction in noise—on average, 25–35% of transitive dependencies are filtered out as unused.

How it works:
Socket scans your manifest files (like package.json, go.mod, pom.xml, etc.) and performs a lightweight, privacy-first code scan to detect which transitive modules are actually in use. Unused packages get flagged, and any associated vulnerabilities are filtered out.

No source code ever leaves your environment — we extract only module names, discard file contents immediately, and perform the analysis securely.

Availability:

• Free tier: Already enabled by default
• Paid plans: Opt in via Settings
• No configuration or build steps required

This is just the beginning. In the coming months, we’ll be extending Reachability with Coana’s advanced static analysis engine — bringing even deeper precision and performance to every Socket scan.

🧠 Try it now by flipping on the Used dependencies only toggle in your Vulnerabilities tab — and stay tuned.

Check out the announcement post and the docs for more details.

You can now organize your repositories with custom labels and apply label-specific security policies.

This gives you fine-grained control over how security rules are enforced — ideal for large orgs managing lots of repos across different teams, stacks, and sensitivity levels.

With this update you can:

• Add custom labels to repositories (e.g. archived, frontend, critical, team-security)
• Filter, sort, and search by label
• Apply custom security policies to any label
• Override your org-wide security policy for specific sets of repos
• Automate it all using our public API

Label-based security policies take effect immediately when a label is applied. You can still keep a default org-wide policy for everything else.

Check out the announcement on the Socket blog!

We’ve updated the Python CLI to align with the new PR comment template used by the GitHub App. This change ensures a consistent developer experience across tools and improves readability and formatting of automated comments left on pull requests.

We’ve made the CDX export endpoint more flexible and future-proof by generalizing it to support all ecosystems, not just a hardcoded subset. This enhancement ensures broader compatibility across package managers and makes it easier to integrate with SBOM tools that expect CycloneDX format regardless of ecosystem.

Socket now supports the .NET ecosystem in public beta! Projects using NuGet and MSBuild (e.g., with *.csproj and packages.lock.json) are now scanned for supply chain threats, including typosquatting, dependency confusion, and malicious updates.

The beta also includes improved SBOM accuracy and deep analysis of .NET dependency graphs — including transitive and conditionally imported packages. Lock file support is recommended for best results.

Check out the announcement on the blog for more details.

You can now exclude specific ecosystems from being scanned by the Socket CLI. This is especially useful for customers who want to ignore results from certain languages. Exclusions are handled via the Supported Files API endpoint.

The Python CLI now lets you choose whether a newly created repository should be public or private. This added flexibility makes it easier to tailor your workflow and manage visibility right from the command line.

Socket's support for the Go ecosystem is now generally available. Projects with go.mod and go.sum files are automatically scanned for supply chain threats, including deep code analysis for obfuscation, backdoors, and misuse of exec.Command. Go joins JavaScript, Python, Java, and Ruby as fully supported languages with comprehensive alerting.

Users can manage Go-specific alerts in project settings.

The Socket Python CLI now supports Slack alerts, making it easy to receive security issue notifications directly in your Slack workspace. This helps teams stay on top of supply chain threats without leaving their communication tools.

To enable Slack alerts, configure the new Slack plugin in your CLI settings.

The Socket Python CLI now supports automatic Jira ticket creation when Blocked or Warning issues are detected during full scans. This makes it easier to integrate Socket into your existing CI/CD workflows and issue tracking systems.

To get started, configure the Jira plugin in your CLI setup.

Socket's support for Ruby projects is now generally available. Projects with Gemfile.lock files are automatically scanned for supply chain threats beyond traditional CVEs, including malicious behavior in Ruby gems. Support for Gemfile and .gemspec is still available but no longer recommended due to lower precision.

Ruby scanning is now enabled by default for all users.

The dependency reachability toggle is back — now with a more reliable implementation. This feature helps identify unused dependencies by analyzing which ones are actually reachable in your code.

You’ll find the toggle in your organization settings (for all paid plans). It now correctly maintains its state when switching between organizations, ensuring consistent and accurate results.

You can now reliably search for dependencies between two version numbers on the Dependencies page. We’ve fixed an issue that prevented queries like 1.0.0 - 2.0.0 from working properly.

As a bonus, quoted search terms like "lodash" now perform an exact match, giving you more precision when navigating large dependency lists.

We've improved the AlertModal in the dashboard to make it easier to understand and act on security issues. When available, alerts now include suggested remediation steps directly in the UI — giving you clearer guidance on how to resolve issues. CVE descriptions are also now rendered with Markdown formatting, making them much more readable.

These updates are part of our ongoing efforts to make vulnerability triage faster and more actionable.

Severity counters in alert tables now have a cleaner loading state and use color more effectively for better readability. These changes enhance the overall usability and visual clarity when switching between alert views in the dashboard.

Organizations can now enable or disable dependency reachability analysis from the settings page. When enabled, Socket will analyze which dependencies are actually used in your codebase, resulting in more accurate detection of dead (unused) dependencies.

The Python CLI no longer crashes when exporting to SARIF format in cases where certain alert attributes are missing. We now perform proper checks to ensure attributes exist before accessing them.

Search now works correctly on the Org Alerts page (beta), even when license-related alerts have incomplete data. Previously, certain license alerts caused search to silently fail due to missing expected fields.

The Repositories page in the dashboard now correctly supports URL search parameters again (e.g. page, query, sort_by). This makes it easier to share filtered views and ensures consistent behavior when navigating or refreshing.

The Socket Python CLI now uses SDK version 2.0.21, which fixes an issue where some attributes were unintentionally stripped during client-side deduplication. This update ensures all expected data is included in scan results.

Resolved an issue in the Socket Python CLI where scans could fail if a package had no top-level ancestors. The CLI now safely handles missing or None attributes to prevent unexpected crashes.

The Socket Python CLI now correctly handles cases where a repository is newly created and doesn't yet have a full scan. Previously, this could cause errors or missing results. The updated logic ensures consistent behavior, even when scan history is incomplete.

We’ve fixed an issue where the Repositories page was stuck showing just one page, no matter how many repositories you had. The new table now loads all data client-side, enabling proper pagination along with filtering and sorting.

This ensures large orgs can browse their repositories without hitting a hard limit.

Repository pages in the dashboard are now easier to explore, with new tabs that organize key data by category. The Alerts tab (now the default) shows a detailed table of current alerts for the repo.

The Dependencies tab pre-filters your org’s dependencies to just those used in the selected repository. And the Scans tab keeps scan results easily accessible.

It’s a faster, more organized way to dive into what matters.

The Socket Python SDK now automatically deduplicates non-typed results from Full Scans. This means alerts are grouped by package, rather than repeated across different releases—making results cleaner and easier to interpret.

The Socket Python CLI now excludes folders like __pycache__ and node_modules by default. This helps prevent duplicate results and significantly speeds up scans.

We’ve revamped the Repositories page in the dashboard to give you a clearer, more actionable view of your projects. You can now see a summary of each repository’s alert count, broken down by severity, making it easier to spot which repos need attention. The new table view also supports column sorting, inline labels (if enabled), and a cleaner layout overall.

API tokens calling the license-policy endpoint must now include the license-policy:read scope. This update also improves documentation consistency and upgrades how registry metadata is handled—while maintaining full backwards compatibility for existing integrations.

Fixed an issue where the search in the Dependencies tab didn’t filter results correctly in some cases. This was caused by a data format mismatch that broke compatibility with the table’s filtering logic. Results now filter as expected.

We resolved an issue where the original API error was being obscured due to incorrect exception handling. Errors are now surfaced clearly to help with debugging and troubleshooting.

The Socket Python SDK now correctly URL-encodes Full Scan parameters to prevent issues with special characters like #. We’ve also updated the user agent string to clearly identify the SDK as SocketSDKPython.

We’ve added dedicated support for analyzing Java imports and mapping them to their corresponding Maven artifacts. This enables more accurate detection of dead (unused) dependencies in Java SBOMs, bringing Java reachability analysis in line with other supported languages.

We’ve fixed an issue where some manifest file types were not correctly detected after switching to the Supported Files API. This was caused by a mismatch between regex and glob patterns—now properly converted to ensure accurate detection.

We've moved the Supported Files API route from v0/report/supported to v0/orgs/{slug}/supported.

We've added a fixable query option to the batch PURL endpoint, allowing you to retrieve only fixable artifact alerts. Additionally, fixable alerts now include a new alert.fix property that provides details on available fixes.

alert.fix // { type: 'cve' | 'upgrade', description: string }

This allows querying the batch PURL endpoint by fixable=true.

We've enhanced our license analysis capabilities to better handle large or complex LICENSE files. This update improves accuracy when detecting and parsing files that contain multiple licenses.

The bulk packages API endpoint (purl) now applies the requesting organization's security and license policies when making batch artifact fetch calls. This ensures policy enforcement is consistent across bulk package lookups.

We've updated the Org Dashboard to rename the Reports page to Full Scans for better clarity and consistency.

We've fixed an issue with the diff_report_url field in the Full Scan Diff API. Previously, the URL was generated using SBOM IDs, but due to an unidentified change, they were not working as expected. We've updated it to use Full Scan IDs instead, which is the preferred approach for accessing ephemeral diffs.

Additionally, we've cleaned up strict null check comments and added repo and org slugs to the response body for improved usability.

We've fixed several nullable bugs in the organization alert triage endpoints to improve reliability. This update resolves issues caused by unguarded chained lookups, ensuring more robust handling of null states.

We've added support for additional query parameters to the Full Scan List API! You can now filter scans by branch, pull_request, and commit_hash, making it easier to find the Full Scan you need. This update improves API usability and makes it easier to locate a Full Scan by commit hash in CI/CD workflows—so you can quickly retrieve the Full Scan ID and use it with the SPDX/CDX export APIs.

We've updated our API authentication to remove the unnecessary base64 (b64) encoding/decoding for Bearer tokens. Bearer tokens no longer require b64 encoding, aligning with standard practices and improving compatibility. If b64 encoding is needed, tokens will be provided with this already applied. This change ensures a smoother authentication experience, particularly for scenarios where b64 encoding is only necessary for basic authentication, not Bearer tokens.

We've resolved a bug in the Python SDK's Repos API when creating new entries. Previously, params was mistakenly treated as a class rather than a dictionary, potentially causing errors during API calls. This fix ensures params is properly recognized as a dictionary, improving stability and reliability for developers integrating with the Repos API.

We've fixed a caching bug that caused delays when scanning new Maven packages for SBOMs. Our system now properly retries fetching missing versions, reducing latency and improving accuracy when indexing Maven dependencies.

We've improved our Maven CVE resolution by addressing a class of false positives that could occur when CVEs listed multiple packages across different ecosystems.

🔍 What's Fixed?
Previously, packages like com.microsoft.azure:msal4j@1.15.1 could incorrectly match vulnerabilities intended for other ecosystems (e.g., @azure/identity@<4.2.1 from npm). Now, our platform accurately filters vulnerabilities by both ecosystem and package name, ensuring only relevant CVEs are flagged.

This update enhances accuracy in your vulnerability alerts, giving you greater confidence in your security insights.

We've improved the placement of the Export PDF (and Export CycloneDX JSON) button for a more consistent user experience. Previously, the button's location varied between the Dependencies, Overview, Org Alerts, and SBOM Report pages, causing layout shifts and confusion.

Now, the Export PDF button is always positioned in the top-right corner of the page—no more guessing where to find it! This update not only streamlines navigation but also eliminates layout shifts when the button loads.

Enjoy a smoother and more predictable dashboard experience!

We've resolved an issue in the Socket Python CLI where the absence of the manifestFiles attribute on top-level packages could cause unexpected errors.

🔍 What Was the Issue?
Some results from the diff endpoint included package entries without a manifestFiles attribute, leading to errors during CLI operations.

🚦 What's Fixed?
We've added a safeguard to check for the manifestFiles attribute before accessing it, ensuring smoother and more reliable execution.

This update enhances the robustness of the CLI, especially when working with edge cases in package metadata.

We've introduced a new compact parameter (compact=true or compact=1) to the Batch PURL and Full-Scans API endpoints. When enabled, Compact Mode streamlines API responses by stripping away most optional data and returning only the essentials—primarily the id and a few critical properties.

💡 Why use it? Ideal for high-efficiency integrations, Compact Mode helps reduce payload size, improve performance, and make API responses easier to parse and manage.

Stay tuned for Part 2, which will further refine and expand Compact Mode capabilities!

We've improved our analysis of transitive dependencies by scanning source code to determine if they are actually used. If a dependency isn’t referenced in the source, it is marked as unused, reducing unnecessary security alerts.

This enhancement helps focus alerts on dependencies that truly matter to your project.

Our Socket SIEM Connector now supports sending events directly to Microsoft Sentinel, expanding your options for integrating Socket Health report alerts into your security ecosystem. We have also updated the documentation to guide you through setup and configuration for Microsoft Sentinel. This update makes it even easier to unify your security alerts and insights across platforms—boosting visibility and response times!

We've updated the Dependency Table in the dashboard to make key information more visually intuitive and accessible:

• 🎨 Colorful Score Indicators: The overall score is now displayed as a vibrant, easy-to-read circle, helping you assess dependency health at a glance.
• 📂 Repository Names Displayed: See up to three repository names directly in the Repositories column, offering quick context without needing to dive deeper.
• 🚫 Simplified View: We've removed branch information from the table to reduce clutter—branch details are still available in the Dependency Modal.

This improvement is part of our ongoing effort to enhance the dashboard experience with small, impactful UI updates every day. Enjoy a cleaner and more insightful view of your dependencies!

Numbers in the dashboard are now shown with minimal or no abbreviations, improving clarity. Thousands are separated with a thin space (e.g., 1 966 instead of 1K), while larger values use clearer formatting (e.g., 1.2B instead of 1G).

Fixed an issue on the Dependencies page where selecting certain ecosystem filters caused an error. The filter now correctly recognizes all ecosystem names, ensuring smooth filtering.

We've introduced a new discovery_period filter to the Threat-Feed API, enabling more precise threat intelligence. This update allows you to filter threats by their discovery date, providing better control and tailored insights. Narrow down threat data to specific timeframes, streamline analysis, and focus on the most relevant security information for your needs. Enhance your threat detection and response workflows with this powerful new filter!

We've added a new include_license_details query parameter to to the streaming full_scan API endpoint. This update gives you more control over your scan performance—now you can choose whether to include detailed license information in your results.

💡 Why use it? Including license details can slow down scan results. By setting this query parameter, you can skip license details when speed matters most, giving you the flexibility to balance performance and insight. This new parameter allows you to boost your scan efficiency and tailor results to your needs.

import socketdev from '@api/socketdev';

socketdev.getOrgFullScan({
  include_license_details: 'false',
  org_slug: 'org_slug',
  full_scan_id: 'full_scan_id',
  accept: 'application/x-ndjson'
})
  .then(({ data }) => console.log(data))
  .catch(err => console.error(err));

Check out the Stream full scan documentation for more implementation details.

The search field in the dashboard alerts page now recognizes vulnerability IDs (CVE) and license IDs, making it easier to find specific alerts by pasting an ID directly into the search box.

Fixed an issue where the GitHub App was linking to maintainer pages that don’t exist for certain ecosystems. Now, only npm maintainers will have links, preventing broken links for unsupported ecosystems.

The disableCommentsAndCheckRuns setting can now be overridden in socket.yml, aligning with other GitHub App settings. This ensures expected behavior when configuring repository-specific settings.

The alert table’s search field and "Group By" selection are now dynamically reflected in the URL. This allows users to share specific table views more easily and ensures that search and grouping preferences persist when navigating.

We've fixed an issue where alert table filters were unresponsive or inconsistent while alert data was still loading. Now, filters remain interactive from the start, ensuring a smoother experience. This update also introduces search parameters for the new "Dependency Scope" and "Dependency Usage" filters.

Filter selections in the Alert Table are now dynamically reflected in the browser URL. This means:

• Filters are retained when navigating or refreshing pages.
• Saved URLs can restore a specific set of filters.
• URLs can be shared with team members, allowing them to see the same filtered view.

This update makes it easier to maintain filter selections across sessions and collaborate with your team.

The Socket API now includes new API scopes to control access to historical alert data:

• alerts:list – Required to fetch a list of historical alerts via GET /v0/orgs/:org_slug/alerts/historical
• alerts:trend – Required to fetch historical alert trend data via GET /v0/orgs/:org_slug/alerts/historical/trend

These new scopes allow API tokens to be granted permission specifically for historical alert queries, ensuring better access control and security.

We’ve introduced new public API endpoints to enable customers to access historical alert data:

• /v0/orgs/:org_slug/alerts/historical – Retrieve historical alerts
• /v0/orgs/:org_slug/alerts/historical/trend – Fetch historical alert trend data

These endpoints provide greater visibility into alert history, making it easier to analyze trends over time.

Check out the documentation for the Alerts endpoint for more details on implementation.

We've updated the filter menu to dynamically adjust its width, preventing long item names—like manifest file paths—from being truncated. Now, you can easily read full names without losing important details.

The filtering UI in the alert table now includes helpful icons, making it easier to quickly recognize and select filter options. This improvement enhances usability and aligns with modern UI best practices.

We've updated the alert table filters to use clearer, more specific names, making it easier to understand each option at a glance. Filters are now also grouped more logically, and the "Manifest File" filter will only appear when applicable. These changes enhance usability and streamline the filtering experience.

We've enhanced support for Authorization: Bearer header tokens in APIv0 and updated the documentation to clarify how org tokens can be used for authentication. This makes it easier to integrate and authenticate with our API using standard bearer tokens.

We've improved the full-scan diff endpoint to include more detailed metadata for diff artifacts and alerts. This enhancement provides better visibility into SBOM Diff Alerts, helping you analyze changes more effectively.

Check out implementation details for the endpoint in the API docs.

We've updated the page progress bar in the dashboard to use our signature pink instead of white. This change improves visibility, especially on the light theme or when the browser's own bar is white. Now, it's easier to track page loads at a glance!

Before:

After:

Resolved an issue where the alert table was incorrectly displaying "Ignored" alerts on initial load, despite the default filter being set to exclude them. The table now properly respects the default filters for "Action = Block, Warn, Monitor."

Inspecting items in the Alert Table, Dependency Table, and Threat Feed Table now opens a modal instead of a sidebar, offering a clearer and more spacious view of detailed information.

Key updates include:

• Reorganized Content: Alert modals now display details in a more intuitive order:
  1. Alert details
  2. Artifact details
  3. Installation details
     Previously nested elements now have clear headers for improved readability.
• Enhanced Triage Notes: Triage notes have been revamped with an autosave feature and a “sticky note” look and feel, making them stand out as supplementary information.

This new design resolves layout constraints, improves usability, and eliminates scrolling issues common with sidebars.

We’ve introduced a new capability to extract dependencies directly from project files using tree-sitter. This enhancement enables faster and more accurate parsing of dependencies, setting the stage for identifying unused dependencies in your project. Stay tuned as we refine this feature to help you keep your projects lean and efficient!

Alerts and license information now include links to specific locations within the relevant file using the #T URL fragment. This improvement makes it easier to pinpoint and address issues directly in your code. This functionality is supported for npm, Python, Go, Maven, and Ruby projects.

We’ve updated the layout of alert rows to improve readability. The artifact name is now left-aligned and placed next to the alert title, making descriptions like "This package" more intuitive. Additionally, the alert category is right-aligned for easier scanning across multiple rows. These changes help you quickly understand and prioritize alerts.

You can now view the Dependency Tree directly from the sidebar in the Dependencies tab, just like in the Alerts tab. This enhancement provides quick and convenient access to transitive dependency information right where you need it.

Resolved an issue where updated dependencies were not correctly identified in SBOM diffs due to a mismatch in PURL string normalization. Updated dependencies now appear accurately in your reports, ensuring consistent and reliable insights.

Dependency visualization now dynamically updates to reflect the current "Action" filter in the Alert table. Dependencies that don’t match the selected action are shown as suppressed (light gray), providing a clearer and more accurate view of your project’s dependencies.

Before (note Action filter is "Warn")

After

The search and filtering functionality on the reports page now works seamlessly across all reports, not just those visible on the current pagination page. This improvement ensures accurate results no matter how many reports are in your dashboard.

We resolved a typo in the alert type assignment that was preventing the display of the availability of package overrides. As a result, alerts for packages where a Socket Optimize Override is available are now displaying correctly. This ensures clearer visibility of actionable recommendations to improve your dependencies.

We’ve made a subtle but meaningful upgrade to the "Group By" button in the modernized alerts table.

What’s Changed:

• Before: The "Group By" button always displayed as "Group By," even after selecting a grouping option.
• After: The button now dynamically updates to reflect your selected grouping option, such as "Group by Severity" or "Group by Category."

This small yet impactful change significantly improves the user experience by making the interface more intuitive. You’ll always know exactly how your alerts are being grouped at a glance—no extra clicks required.

Example in Action:

If you select "Severity" as the grouping option, the button updates to display:
➡️ "Group by Severity"

This enhancement is all about making navigation smoother and your workflow more seamless. It’s part of our ongoing commitment to optimizing every detail for our users.

We're always working to make our platform more powerful and user-friendly. That's why we're excited to announce a new feature for our threat-feed API endpoint: the ability to sort by created_at.

With this update, you can now easily query and organize threat intelligence by the exact order of when it was created. Whether you're looking to analyze the latest threats or dive into historical data, this enhancement ensures you get the information you need

Key Benefits:

• Faster Analysis: Quickly identify the latest threats with time-based sorting.
• Simplified Workflow: Streamline your data analysis by structuring queries more effectively.
• Enhanced Visibility: Focus on the most recent or oldest data as per your needs.

For more information and implementation details, check out the API docs for the Threat Feed endpoint.

We’ve resolved several bugs affecting the full-scan diff endpoint, including issues with reversed before and after IDs and incorrect diffing against only one side.

The fix includes proper ordering of database queries and improves the accuracy and reliability of the diff functionality.

Check out the documentation for more information and implementation details for using the full scans diff endpoint.

We now use uv.lock files as the single source of truth for dependency resolution in Python projects whenever available. This approach is faster, more reliable, and streamlines the analysis process.

This update further improves support for Python projects using uv.lock files, ensuring more accurate and efficient dependency management.

We’ve added a new is_human_reviewed query parameter to the Threat Feed API.

When is_human_reviewed=true, the API will only return threats where needsHumanReview is false, providing a filtered view of threats that don’t require further human validation. If this parameter is omitted or set to false, the API will return all threats.

This update offers greater flexibility for managing and analyzing threat data based on review status.

By expanding support for uv.lock files, we’re making it easier to track dependencies and resolve issues for Python projects that adopt this format.

We're making some major improvements to our typosquatting detection capabilities. As part of that effort, we are introducing a new "AI-detected possible typosquat" alert that distinguishes AI-flagged typosquat threats from those which have undergone human review, similar to our existing AI-detected alerts for other threat types.

Typosquatting continues to be a serious attack vector, and we are evolving our detection capabilities to identify these threats faster and more reliably. This update aims to improve the clarity and accuracy of our threat detection system.

We’ve added a new ParsePipfileLock task to support dependency resolution from pipfile.lock files in Python projects using Pipenv. This parser extracts dependencies, extras, development dependencies, and environment markers, integrating directly with our Python package analysis pipeline.

This update was driven by user requests and enhances our ability to analyze and manage dependencies for Python projects leveraging Pipenv.

The PDF export feature for the organization alerts view now includes repositories and branches for each alert. This update provides more detailed insights into the source of your alerts, making it easier to track and address issues effectively.

Now you can triage organization alerts from the API! We’ve introduced alert triage API endpoints for organizations, enabling you to list and update alert triage directly from the API. These new routes make it easier to build integrations and automations around alert management, streamlining workflows and enhancing flexibility.

Check out the documentation for the Triage endpoint for implementation details.

Socket now generates "Known Malware" alerts for npm security holding packages—placeholders for packages removed from the registry due to security concerns. While these current versions are empty, this update clarifies that the original packages were likely malicious, addressing a common perception issue and improving transparency in threat detection.

We’ve enhanced the threat feed endpoint with new query parameters—name, version, and ecosystem—to give you more precise control over your results when using the API. These filters make it easier to pinpoint specific threats, aligning with the type filter functionality in findThreat.

This update to alert management gives you a better view of your SBOMs by filtering according to your security policy. It allows you to distinguish dependencies by acceptance according to your security policy.

• New "Per Security Policy" Filter: Alerts are now flagged as either flagged by your Security Policy or ignored. This filter is enabled by default, keeping your attention on actionable issues while hiding noise. Need to dive into ignored alerts? Simply toggle the filter.
• Improved Dependency Visualization: Dependencies with no problematic alerts (either zero alerts or all ignored per policy) are now treated as "good" and rendered as neutral white rectangles. This enhancement makes it easier to visualize your SBOM at a glance, highlighting areas that truly need attention.

These updates reduce distractions by moving ignored or inherited alerts out of sight for most workflows. Your security policy defines what matters—our new filter reflects fine tunes the visualizations to better reflect your priorities.

You asked, we listened: the alert sidebar now includes the ability to add notes directly while triaging alerts. This first iteration lets you document context, decisions, or next steps for each alert—keeping your workflow organized and your team on the same page. Stay tuned for more enhancements to this feature in future updates!

When searching packages on Socket.dev, you can now see the number of weekly downloads displayed alongside each package in the search results on the packages search page. This feature, currently available for the npm ecosystem, provides additional context to help you evaluate package popularity and relevance at a glance.

This update was implemented in response to user feedback—keep the great ideas coming!

We’ve given the Dashboard Reports page a much-needed visual and functional facelift to make it more intuitive, visually appealing, and on-brand. Here’s what’s new:

• Search reports by repository name, branch name, or commit message.
• Filter reports by creation date (e.g., the past X days).
• Improved table UI with cleaner visuals and more on-brand design.
• Smarter actions UI for managing reports efficiently.

This update is part of a broader initiative to improve the Socket dashboard and make it easier to manage your reports.

Filter dropdowns in the alert table now feature dynamically updating counters. As you add, remove, or update filters, these counters recalculate in real time to show the number of alerts that match your current filtering criteria.

This improvement ensures a more intuitive filtering experience, allowing you to see how each filter progressively narrows down results, helping you focus on what matters most.

This update fixes two regressions related to Maven packages:

• Fixed: Regression where Maven packages were not showing package scores. The logic changed around filtering based on purl and it didn't account for multiple artifacts (e.g., ext + classifier combos). This has been fixed by reverting to the old behavior that precomputes an exact key.
• Fixed: Regression where Maven packages would be missing if they had more than one artifact.

These fixes improve Maven package handling to be more consistent across variations in the number of artifacts.

We're improving consistency in our UI to make it easier for users to connect and interpret information across different pages.

What’s New: We've replaced alert severity badges ([C], [H], etc.) with intuitive symbols (e.g., triangle, diamond) across all UIs for a more unified experience.

• Where It Applies:
  • Organization alerts page stats
  • Alert table headers and rows
  • Alert sidebar

This update aligns the alert severity indicators with those already used elsewhere, ensuring consistency and reducing cognitive load when navigating the Socket dashboard.

We've deprecated outdated report API endpoints in favor of the newer Full Scans endpoints, which offer improved functionality and better support.

Deprecated Endpoints:

• Delete Reports: /v0/report/delete/{id}
• List Reports: /v0/report/list
• Upload Reports: /v0/report/upload
• View Reports: /v0/report/view/{id}

Transitioning to the updated endpoints ensures you're using the latest and greatest tools from Socket in your workflows. Check out the Full Scans API documentation for more details on the new endpoints.

This update adds a license policy settings endpoint for our customers who want to change these settings from the API. It allows organizations to view and edit the license policy.

https://api.socket.dev/v0/orgs/{org_slug}/settings/license-policy

Check out the license policy API docs for implementation details.

Capability alerts now display the specific files associated with the potential risks, such as file system access or dynamic code execution.

By linking alerts to their exact file locations, we’re addressing a key customer request—making it easier to investigate and act on capability alerts. This update makes it easier to pinpoint the exact parts of the code responsible for generating capability alerts, enabling faster and more targeted investigations.

We're excited to announce that the latest version of our Web Extension includes full support for Go, showing threats and security metrics for Go packages as you visit websites.

Here's what's new:

• Added support for https://pkg.go.dev and external links to modules
• Added support for got get|install commands
• Added support for Go PURLs (e.g. pkg:golang/google.golang.org/genproto)

If you're not yet using the Socket Web Extension, install it on Chrome or Firefox to get real-time threat detection on any website (i.e. GitHub, npm, PyPI, Maven Central, pkg.go.dev, Stack Overflow) or configure it for specific sites.

We're making some UI/UX improvements to the experience of filtering data tables in the Socket dashboard that will enhance usability, ensure consistency across dashboard components, and provide a cleaner, more intuitive interface for users.

This update includes:

• Boolean Filter Improvements
  • Replaced the non-functional search input with a static label for filters that only offer boolean options (True/False), ensuring better usability.
• Filter Icon Addition
  • Added a filter icon to the left side of horizontal selection lists to enhance visual consistency with the existing "Filters" button.

These changes improve navigation and reduce visual clutter, laying the groundwork for future UI/UX enhancements. Stay tuned for more updates that will make Socket data tables easier to filter and navigate.

We’re excited to introduce the latest enhancements to Socket Optimize. Our new --pin option allows you to lock override versions effortlessly, ensuring consistent and reliable dependency management. With the --prod flag, you can now target production dependencies exclusively, streamlining your deployment process.

We've significantly improved workspace support for seamless multi-package handling, implemented more intuitive and helpful error messages to make troubleshooting a breeze, and upgraded all packages to fully support Node.js 18 and above.

New options:

—pin: pin override versions

—prod: overrides for prod deps only

Improved:

• better workspaces support

• helpful error messages

• all packages support Node 18+

We’re excited to unveil a significant performance improvement in Socket’s organization alerts and recently viewed reports! With this update, organization alerts are now cached on the client side for 15 minutes. This enhancement dramatically reduces server load and speeds up report page refreshes, ensuring that recently viewed reports and organization alerts load instantly.

Whether you're managing multiple tabs or navigating through extensive data, enjoy a smoother and more responsive user experience with our optimized caching solution. This update adds a ServiceWorker cache for alerts endpoints.

The package for the Socket CLI is has officially been renamed to socket. Formerly available at @socketsecurity/cli, the CLI has moved to its new, more memorable namespace on npm: https://www.npmjs.com/package/socket

This change simplifies how you install our CLI tool but does not impact any of the commands. We will soon be deprecating the old package.

Some of our customers have requested the ability to set access security policy settings via the API. This update delivers API endpoints for org security policies:

• What’s New: GET and POST routes at /orgs/{org_slug}/settings/security-policy, mirroring the functionality of our website UI.

This works the same as it does for the website UI. Explore the API documentation for implementation details.

We have enhanced the "Native Code" alert to support multiple ecosystems beyond npm. Previously limited to detecting binding.gyp files for native add-ons in npm packages, the alert now scans for prebuilt binaries and ecosystem-specific files across various programming languages.

This update adds support for Yarn's "resolutions" field, which allows you to override the resolutions of specific dependencies. The field is frequently used to instruct Yarn to use a specific package version in cases where you want to enforce all your packages to use a single version of a dependency, or backport a fix.

For more information on the specifics of our Yarn support, check out the updated documentation.

This update to our Full Scans API gives users more data from various repository integrations and significantly improves repository management in the dashboard. It offers a more complete picture of how your organization is interacting with Socket and makes it easier to perform certain actions within the dashboard UI:

• API: Full Scans API now supports API, GitHub, GitLab, BitBucket and Azure metadata fields when viewed in the Socket dashboard.
• Repositories created by the GitHub app can now be deleted from the Organization Dashboard.
• Improved naming rules around Repositories and branch names associated with full scans.
• Full scan committer count is included in the dashboard overview metrics.
• Support for more Organization overview metrics for organizations without a GitHub integration.
• API: Full scans created by the API no longer require a branch name.

Check out the Full Scans API docs for more information on interacting with our API.

Organization "members" can now view the security policy page of their organization in a read-only format. This update ensures that all full members (users with "contributor" level access are excluded) of an organization can stay informed about the configured alert actions without compromising the integrity of the policy through unauthorized edits. As before, only organization administrators and owners can change the configured default security policy and alert actions.

We made some major improvements to our web extension based on user feedback. The UI has been polished to provide a more intuitive and user-friendly experience, making it easier to navigate security metrics while browsing the web.

This update includes the following bug fixes and enhancements:

• Filtered invalid package names in order to reduce unnecessary API calls
• Improved style robustness and reduce risks of it being overloaded by CSS resets
• Added reset button to popup to reset stats
• Handled Gem PURL enhancements
• Fixed a regression where SPA and links to package weren't handled correctly (e.g. https://www.npmjs.com/package/express clicking on Dependents tab doesn't scan packages listed but it should)
• Refactored into multiple files as the main file was starting to get too big and to prepare for more features
• Fixed popover position on https://rubygems.org/search?query=rails

Check out the Socket Web Extension docs for more details on its capabilities and permissions. We also have a guide for organizations that are interested in deploying the the extension via Google Workspace.

We're pleased to add support for Jenkins Jobs to our CI/D integrations. This new feature allows you to incorporate Socket’s powerful security and automation capabilities directly into your Jenkins workflows, ensuring that your builds are not only efficient but also secure from potential threats.

With Socket for Jenkins Jobs, developers and DevOps teams can now automate security checks, monitor build processes, and enforce compliance standards effortlessly. Whether you're running complex deployments or managing multiple projects, this integration simplifies your workflow.

To get started and learn more about setting up Jenkins Jobs with Socket, visit our official documentation.

• Added support for from_time for the report.list() function which supports a unix timestamp in seconds
• Added support to specify the timeout for Socket API Calls in timeout for socketdev
• Updated the README.rst to include fixed examples for the initialization. Now properly reads socket = socketdev(token="REPLACE_ME")
• Updated the sbom API to include the new function sbom.create_packages_dict() to be used with other Socket tools
• Updated import statements to use socket_sdk_python in preparation for publishing to pypi
• Added a build script for publishing to pypi
• Added pyproject.toml for publishing to pypi which is replacing setup.cfg
• Pushed version 1.0.9

Socket Python SDK can be found at:

• https://pypi.org/project/socket-sdk-python/
• https://github.com/SocketDev/socket-sdk-python

This update adds a command to get the Socket threat feed in the CLI:

socket threat-feed

The following flags are available:

• --perPage
• --page
• --direction
• --filter

The output can also be returned as a JSON object with the --json flag.

• The GitHub app now generates full-scan resources for all scans triggered by push events.
• Dependency scans run by the GitHub app are now accessible through the full_scans API endpoint.
• The API returns a paginated list of all full scans for an organization, excluding SBOM artifacts.

This update enhances integration with the GitHub app by providing complete scan data through the full_scans API.

Check out the documentation for details on how to retrieve a paginated list of full scans using the full_scans API endpoint, including parameters, responses, and examples for integration.

We’re excited to announce that Ruby support is now available in Experimental! This release brings fully functional core alerts and Ruby gem security scanning for your Ruby projects

We're still working through some bugs with package pages in this initial release but should have those resolved soon.

Socket is introducing dashboard analytics, a feature that has frequently been requested by our users. It shows graphs for analytics at both the organization and repository levels, including the following:

• Total number of critical and high alerts found in the main branches across the repositories
• Total number of critical and high alerts that have been merged to the default branches on a given day
• Total number of alerts prevented from being merged to the default branches
• Top 5 alert types across the organization

Data is ingested once per day and filters are available to display the data ingested in the last 7, 30 and 90 days. The data can also be exported as CSV or JSON.

Check out the announcement on the blog for more details.

• Fix for slow times when finding files in large mono repos with greater than 100k files
• Fix for too long errors for some dependency overviews
• Fix for making determinations on if the CLI should run based on files changed in the commit info

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

We updated our API to support the use of a from query filter for the audit-log endpoint in the format of a unix epoc in seconds. It enables support for customer integrations that allow the Audit log to run on an interval and only get the latest updates.

By using this query filter, customers can efficiently retrieve only the most recent audit log entries, saving time and resources.

Socket is launching a new "Suspicious Stars on GitHub" alert today, based on research that uncovers a growing trend of bad actors paying for stars in order to artificially inflate the popularity of their repositories on GitHub.

Over the past five years, we have detected more than 3.7 million fake GitHub stars. Repos leveraging these stars have been linked with scams, fraud, and malware. Socket now flags packages that are associated with these repositories.

Suspicious Stars on GitHub is a high-severity alert under the supply chain category, due to its potential for malicious activity. This alert gives users more visibility into the legitimacy of a software package’s star count, and flags those that may have been artificially inflated stars from bots, crowdsourcing, or other means.

Check out the alert documentation and read the announcement post for a detailed analysis of the research that surfaced 3.7 million fake GitHub stars.

• Added support for the web event for Gitlab
• Changed the behavior for Gitlab to not error out on unknown event types

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

Socket is introducing three new customizable default security policies that should simplify configuration for many of our customers. They are based on extensive customer feedback and research and are aimed at reducing alert noise and managing false positives more effectively. We're also enabling several new alert types that were previously disabled.

New default security policies

• Low Noise (traditional SCA)
• Default (ideal for most customers
• Higher Noise (for more engaged teams.)

These policies are based on recent enhancements to our alert system:

• Block (formerly "Error"): Fails the Socket CI/CD check, blocking Pull Requests (PRs) or Merge Requests (MRs) until resolved.
• Warn: Highlights issues in PRs/MRs without blocking them, allowing for context-specific decisions.
• Monitor: Displays alerts in the Socket Dashboard for evaluation without cluttering the development workflow.
• Ignore: Filters out irrelevant alerts entirely.
  

Timeline for Enabling the New Security Policies

Transition Period (August 14 - August 28, 2024): Review changes and lock in your preferences.

New Policies Take Effect (From August 28, 2024): Unless you've locked in specific settings, your policy will automatically update to the new default policy on this date. You will also gain the ability to switch between the three new policy options and continue fine-tuning your settings.

Check out the blog announcement for more details on the timeline, along with a detailed breakdown of how specific alerts are handled in the new policies.

We are disabling the "mixed-license" alert, as our "license allow list" feature will soon be available to use instead.

The larger and more developed packages frequently found in a project's dependencies are almost certainly going to have what is technically mixed licensing (the terms of more than one license apply) so the alert can potentially be noisy for some users. However, users taking advantage of our license allow list feature do not need to be notified of mixed licensing if it doesn't violate their specified license policy.

Our License Enforcement feature is still in pre-release but customers who want early access can reach out to support@socket.dev.

The Socket web extension has been completely revamped. This update improves security and expands support to PyPI, Go, and Maven ecosystems, with more to come!

The new version protects against malicious packages and commands from any website (GitHub, StackOverflow, blogs, docs, etc.), which can be configured in the settings. Socket's real-time threat detection can be displayed on any website you choose to enable.

The updated extension also displays metrics on how many threats Socket has detected. All of these new features come packaged in a reduced size with lower memory usage and faster execution. (1500x smaller, only ~0.02MB)

• Announcement: https://socket.dev/blog/new-socket-web-extension-take-socket-with-you
• Docs and new permissions: https://docs.socket.dev/docs/socket-chrome-extension-permissions-documentation
• Chrome Web Store: https://chromewebstore.google.com/detail/socket-security/jbcobpbfgkhmjfpjjepkcocalmpkiaop
• Firefox Add-ons: https://addons.mozilla.org/en-US/firefox/addon/socket-security

Socket now supports exporting your organization's dependencies as a PDF, using a new button in the dashboard.

Once license information is included, a PDF export of one's org dependencies is a great permanent record for book-keeping purposes. As of-now, it also makes it easy to share a document of ones org dependencies.

We've added the ability to export various views from your organization's dashboard pages as PDF files. Specifically:

• Dependency Overview: You can now save a PDF with a comprehensive, shareable overview of all your organization's dependencies (including package names, versions, types, and overall scores)
• Alert Table Export: Save the current view of the alert table, reflecting the applied filters and ordering. Note: The export is available for views with up to 2,500 alerts.
• Last but not least, you can save a PDF of your organization's overview statistics, repositories, and a sample of the threat feed.

To use: Look for new button with PDF icon on your organization's dashboard pages.

• Added additional debug logging
• Simplified the find_files functionality to improve performance
• Fixed logic for ignoring alerts, diff logic of alerts, and consolidation of alerts in comments
• Added full scan ID to the output results

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

• Fixed an issue with security comments not being consolidated to their main package purl
• Fixed an issue with dependency overview comments not being consolidated to their main package purl
• Fixed logic for diffing new alerts from current latest full scan for the default branch
• Fixed ignore comment logic for correctly removing alerts based on the ignore comment
• Added support to thumbsup processed ignore comments

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

This resolves an issue where no comments end up on a PR if a commit is pushed and completes its action before a PR is created.

• Added support for the pull_request event on Github.
• This event type will now run on the `opened` state to handle if a commit had been pushed, and the action completed, before a PR completes.

Python CLI can be found at:

• https://pypi.org/project/socketsecurity/
• https://github.com/SocketDev/socket-python-cli

We’re excited to announce that Maven support is now available in Public Beta! This means that it is feature complete, stable, and rolled out to all users.

With this update, Socket will automatically scan any project that includes a Maven manifest, providing comprehensive vulnerability data and dependency analyses. Whether you're managing Java applications or other Maven-based projects, you can now stay ahead of potential threats with Socket's real-time security alerts.

• Adds support for Security Policy Modes Block & Warn
  Note: The Python CLI does not currently support individually triaged alerts
• Comments have been updated to have a new column in Github and Gitlab Comments with the new version to indicate Block/Warn
• The console output will include the CI Status of Block/Warn as well
• New option --ignore-commit-files to look for all manifest files whether or not there is one in the last commit detected
• Updated docker containers of socketdev/cli:1.0.0 and socketdev/cli:latest have been pushed

Example Console Output

Example PR Comment Output:

For those using the Socket full-scan API, we now include a from and repo fields for the v0/report/list endpoint that filters the results based on a unix timestamp.

Here are the new fields with specific notes on how to use them:

• Added a from querystring filter to the GET /report/list endpoint. The field accepts a unix timestamp in seconds and filters the report list from that date.
• Added a repo querystring filter to the GET /report/list endpoint. The field filters the results by a repo slug.
• Added a from querystring filter to the GET /orgs/{org_slug}/full-scans endpoint. The field accepts a unix timestamp in seconds and filters the report list from that date.
• Added a repo querystring filter to the GET /orgs/{org_slug}/full-scans endpoint. The field filters the results by a repo slug.

Yarn's dependency resolution algorithm varies from yarn versions and scenario. Without a node_modules folder as a source of truth we opted for implementing an alternative module resolution algorithm for yarn. We start by mapping the package.json dependencies to those found in the yarn lock file, then traverse the lock file dependencies to generate an npm v1 lockfile which we use as the reference to resolve modules.

The Socket API now supports a new licenseattrib option for the /v0/purl endpoint which includes license attribution data, including license text and author information in the endpoint response.

This update fixes an accidental quadratic loop in the GitHub file ingest. It enables GitHub app reports to run to completion, even when we are unable to ingest the full set of manifest files from GitHub. This helps larger repositories from timing out. Reports under these circumstances previously aborted.

Socket now supports the Unmaintained alert for Maven packages. This alert applies to packages that have not been updated in more than 5 years and may be unmaintained.

This update adds a badge with the estimated count of packages with the respective alert to the alerts/[alertType]/packages pages. We already expose this information indirectly via the pagination component at the bottom but this gives offers a quick glimpse into the frequency of our various alert types. It gives a sense of how common a given alert is, which can be helpful when configuring one's security policy.

Socket now supports the Deprecated alert for PyPI packages. It detects packages that have officially been yanked where developers have marked a package as deprecated by specifying the yanked attribute in the release metadata. This indicates that the release should not be used, but it doesn't delete it from the index. This approach helps inform users that they should avoid using a particular version of a package while maintaining historical records.

There's a new API endpoint to export a CycloneDX SBOM from a SocketSBOM report id or full scan id:

curl --request GET \
     --url https://api.socket.dev/v0/orgs/{org_slug}/export/cdx/{id} \
     --user '<api_key>_api:' \
     --header 'accept: application/json'

Check out the Export CycloneDX SBOM docs for more information on how to use this endpoint.

This update makes each dependency's name a clickable link on the dependencies tables.

Socket now supports deleting repositories in the dashboard. The new delete button is available to admins and owners:

• The delete button only works on repos created with the API on the repositories resource.
• GitHub repos you can delete by de-activating the permissions on the gitHub app.
• This also fixes the 404 state on the repos list page.
• This also fixes 404s when viewing a report thats associated with a deleted repo.
• It also allows deleted repositories to share the slug of a recreated repository with the same slug.

Search for any dependency that is being used in your organization

This update implements a command to get an organization's audit log.

Demo:

Implements commands to view, list, create, update, and delete an organization's repositories

This update implements the full scans feature of the API in the CLI with the command socket scan.

Options:

• list
  • <org slug>. e.g. socket scan list FakeOrg
• stream
  • <org slug> <full scan ID>. e.g. socket scan stream FakeOrg 1234-oooo-5678-aaaa or
  • <org slug> <full scan ID> <path to output file. e.g. socket scan stream FakeOrg 1234-oooo-5678-aaaa ./output.txt
• create
  • <org slug>. e.g. socket scan create FakeOrg <flags>
• delete
  • <org slug> <full scan ID>. e.g. socket scan del FakeOrg 1234-oooo-5678-aaaa
• metadata
  • <org slug> <full scan ID>. e.g. socket scan metadata FakeOrg 1234-oooo-5678-aaaa

• adds human-readable label for alert triage action
• ensures event type shows up in audit log select box

Socket for GitHub now allows users to filter alerts by alert triage

Implements an audit log endpoint that matches Socket's dashboard features

This adds two api endpoints /license-details and /license-attrib for getting an artifact's license information and license attribution information respectively.

It also updates the license panel to only take a purl argument, with the data and attribution being fetched from the API.