July 8
You can now upload gradle.lockfile
files directly to Socket! This means Gradle projects no longer need to generate a CycloneDX SBOM to take advantage of Socket’s deep dependency analysis.
Using gradle.lockfile
gives you more reproducible builds and improves protection against dependency hijacking—no more risk of a transitive dependency quietly changing under your nose.
If you're not using lockfiles yet, now’s a great time to start:
dependencyLocking.lockAllConfigurations()
Then run:
./gradlew dependencies --write-locks
…and commit the generated gradle.lockfile
to your repo.
July 8
We've added CISA Known Exploited Vulnerabilities (KEV) data to the alert modal in the Socket Dashboard.
What’s new:
This helps you prioritize the most dangerous issues faster by identifying alerts tied to real-world exploitation.
July 4
What’s new:
api
event type in GitLab pipelines, preventing CLI errors when triggered via API events.--license-file-name
license_output.json
) instead of relying on auto-generated names from repo/branch, which could sometimes produce invalid paths.This update improves both stability and flexibility when running Socket in GitLab CI environments.
July 3
Socket now provides comprehensive SBOM generation for Rust projects using Cargo.toml
and Cargo.lock
, bringing the Rust ecosystem to feature parity with npm, PyPI, Maven, NuGet, and RubyGems in our security pipeline.
What this means:
Cargo.toml
and Cargo.lock
filesThis is another step towards expanding our ecosystem coverage to include Rust.
July 3
We’ve rolled out a refreshed design for the SBOM Report Page across all scan types, including Diff Scan, Full Scan, and Diff Report, bringing a cleaner layout and improved usability.
What’s new:
This is part of our ongoing effort to enhance the dashboard experience as part of the PR Stories initiative.
July 1
The Socket Python CLI no longer exits with an error code when a diff report contains only warn-level alerts.
Before:
Even if there were no error-level alerts, the CLI returned exit code 5
, which could incorrectly signal failure in scripts or CI pipelines.
Now:
The CLI returns exit code 0
for warn-only diff reports, as expected.
This fix ensures that non-critical warnings don’t break your workflows.
June 26
You can now access diff scans directly using their unique Diff Scan ID on the Socket Dashboard.
What’s new:
This update makes it easier to track and share diff scans as standalone resources, with no need to reconstruct them from their full scans.
June 26
We’ve improved the behavior of the pink dot indicator on the Socket dashboard! Previously, it stuck around for 48 hours after a changelog item was posted, whether you'd seen it or not.
Now, the dot disappears as soon as you open the Help & Info popover, signaling you've "read" the latest updates. No more lingering alerts once you're caught up.
June 25
We’ve added a new /alert-types
API endpoint that returns detailed information for a given alert identifier, including support for multiple languages.
This fills a key gap in the API: previously, some alert metadata wasn’t available outside the UI. Now, you can fetch that context programmatically, streamlining integrations and reducing scan payload sizes.
For more information and implementation details, check out the Alert Types documentation.
June 24
The Socket Python CLI now correctly generates license attributions again. A recent change in how license data is structured, alongside a new diff endpoint, had caused errors during generation.
This update:
license_text
with licenseDetails
and licenseAttrib
Everything should now work as expected when pulling license metadata via the CLI.