What's new at Socket?

You can now upload gradle.lockfile files directly to Socket! This means Gradle projects no longer need to generate a CycloneDX SBOM to take advantage of Socket’s deep dependency analysis.

Using gradle.lockfile gives you more reproducible builds and improves protection against dependency hijacking—no more risk of a transitive dependency quietly changing under your nose.

If you're not using lockfiles yet, now’s a great time to start:

dependencyLocking.lockAllConfigurations()

Then run:

./gradlew dependencies --write-locks

…and commit the generated gradle.lockfile to your repo.

We've added CISA Known Exploited Vulnerabilities (KEV) data to the alert modal in the Socket Dashboard.

What’s new:

• A dedicated “Known Exploits” section appears when relevant, highlighting vulnerabilities actively exploited in the wild
• Quick access to critical context from CISA’s KEV catalog, surfaced directly in-package alerts

This helps you prioritize the most dangerous issues faster by identifying alerts tied to real-world exploitation.

What’s new:

• Added support for the api event type in GitLab pipelines, preventing CLI errors when triggered via API events.
• Introduced a new CLI flag: --license-file-name
  This allows you to specify a safe, static output filename (defaults to license_output.json) instead of relying on auto-generated names from repo/branch, which could sometimes produce invalid paths.

This update improves both stability and flexibility when running Socket in GitLab CI environments.

Socket now provides comprehensive SBOM generation for Rust projects using Cargo.toml and Cargo.lock, bringing the Rust ecosystem to feature parity with npm, PyPI, Maven, NuGet, and RubyGems in our security pipeline.

What this means:

• Complete parsing of both Cargo.toml and Cargo.lock files
• Accurate dependency graphs and security insights for Rust codebases
• Broader multi-ecosystem coverage for modern software teams

This is another step towards expanding our ecosystem coverage to include Rust.

We’ve rolled out a refreshed design for the SBOM Report Page across all scan types, including Diff Scan, Full Scan, and Diff Report, bringing a cleaner layout and improved usability.

What’s new:

• Simplified headers with just the essentials: repository, PR, and timestamp
• Removed redundant info (like duplicate "Manifests" and UUID-heavy scan IDs)
• Smarter layout to reduce vertical clutter and highlight what matters most
• Updated Insights panel and control buttons for easier access
• Bug handling improvements: gracefully hides missing branch badges instead of showing broken UI

This is part of our ongoing effort to enhance the dashboard experience as part of the PR Stories initiative.

The Socket Python CLI no longer exits with an error code when a diff report contains only warn-level alerts.

Before:
Even if there were no error-level alerts, the CLI returned exit code 5, which could incorrectly signal failure in scripts or CI pipelines.

Now:
The CLI returns exit code 0 for warn-only diff reports, as expected.

This fix ensures that non-critical warnings don’t break your workflows.

You can now access diff scans directly using their unique Diff Scan ID on the Socket Dashboard.

What’s new:

• A dedicated page for viewing diff scans by ID
• Reuses existing scan views, now powered by stored multi-SBOM data
• Updated internal URLs across the API and GitHub app to link to this new route

This update makes it easier to track and share diff scans as standalone resources, with no need to reconstruct them from their full scans.

We’ve improved the behavior of the pink dot indicator on the Socket dashboard! Previously, it stuck around for 48 hours after a changelog item was posted, whether you'd seen it or not.

Now, the dot disappears as soon as you open the Help & Info popover, signaling you've "read" the latest updates. No more lingering alerts once you're caught up.

We’ve added a new /alert-types API endpoint that returns detailed information for a given alert identifier, including support for multiple languages.

This fills a key gap in the API: previously, some alert metadata wasn’t available outside the UI. Now, you can fetch that context programmatically, streamlining integrations and reducing scan payload sizes.

For more information and implementation details, check out the Alert Types documentation.

The Socket Python CLI now correctly generates license attributions again. A recent change in how license data is structured, alongside a new diff endpoint, had caused errors during generation.

This update:

• Switches to the batch PURL endpoint to fetch license details
• Replaces license_text with licenseDetails and licenseAttrib

Everything should now work as expected when pulling license metadata via the CLI.