🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket

Changelog

What's new at Socket?

July 8

Introducing Native Gradle Lockfile Support

Native Gradle Lockfile Support in Socket

You can now upload gradle.lockfile files directly to Socket! This means Gradle projects no longer need to generate a CycloneDX SBOM to take advantage of Socket’s deep dependency analysis.

Using gradle.lockfile gives you more reproducible builds and improves protection against dependency hijacking—no more risk of a transitive dependency quietly changing under your nose.

If you're not using lockfiles yet, now’s a great time to start:

dependencyLocking.lockAllConfigurations()

Then run:

./gradlew dependencies --write-locks

…and commit the generated gradle.lockfile to your repo.

July 8

Alert Modal Now Displays Known Exploited Vulnerabilities (KEV) Data

We've added CISA Known Exploited Vulnerabilities (KEV) data to the alert modal in the Socket Dashboard.

What’s new:

  • A dedicated “Known Exploits” section appears when relevant, highlighting vulnerabilities actively exploited in the wild
  • Quick access to critical context from CISA’s KEV catalog, surfaced directly in-package alerts

This helps you prioritize the most dangerous issues faster by identifying alerts tied to real-world exploitation.

July 4

Python CLI: GitLab api Event Support + Safer License File Naming

What’s new:

  • Added support for the api event type in GitLab pipelines, preventing CLI errors when triggered via API events.
  • Introduced a new CLI flag: --license-file-name
    This allows you to specify a safe, static output filename (defaults to license_output.json) instead of relying on auto-generated names from repo/branch, which could sometimes produce invalid paths.

This update improves both stability and flexibility when running Socket in GitLab CI environments.

July 3

SBOM Support for Rust/Cargo Projects

Socket now provides comprehensive SBOM generation for Rust projects using Cargo.toml and Cargo.lock, bringing the Rust ecosystem to feature parity with npm, PyPI, Maven, NuGet, and RubyGems in our security pipeline.

What this means:

  • Complete parsing of both Cargo.toml and Cargo.lock files
  • Accurate dependency graphs and security insights for Rust codebases
  • Broader multi-ecosystem coverage for modern software teams

This is another step towards expanding our ecosystem coverage to include Rust.

July 3

Redesigned Scan Pages in the Dashboard

We’ve rolled out a refreshed design for the SBOM Report Page across all scan types, including Diff Scan, Full Scan, and Diff Report, bringing a cleaner layout and improved usability.

What’s new:

  • Simplified headers with just the essentials: repository, PR, and timestamp
  • Removed redundant info (like duplicate "Manifests" and UUID-heavy scan IDs)
  • Smarter layout to reduce vertical clutter and highlight what matters most
  • Updated Insights panel and control buttons for easier access
  • Bug handling improvements: gracefully hides missing branch badges instead of showing broken UI

This is part of our ongoing effort to enhance the dashboard experience as part of the PR Stories initiative.

July 1

Python CLI: Fixed Incorrect Exit Code for Warn-Only Diff Reports

The Socket Python CLI no longer exits with an error code when a diff report contains only warn-level alerts.

Before:
Even if there were no error-level alerts, the CLI returned exit code 5, which could incorrectly signal failure in scripts or CI pipelines.

Now:
The CLI returns exit code 0 for warn-only diff reports, as expected.

This fix ensures that non-critical warnings don’t break your workflows.

June 26

View Diff Scans by ID in the Dashboard

You can now access diff scans directly using their unique Diff Scan ID on the Socket Dashboard.

What’s new:

  • A dedicated page for viewing diff scans by ID
  • Reuses existing scan views, now powered by stored multi-SBOM data
  • Updated internal URLs across the API and GitHub app to link to this new route

This update makes it easier to track and share diff scans as standalone resources, with no need to reconstruct them from their full scans.

June 26

Changelog Notification Now Functions as Read Indicator

We’ve improved the behavior of the pink dot indicator on the Socket dashboard! Previously, it stuck around for 48 hours after a changelog item was posted, whether you'd seen it or not.

Now, the dot disappears as soon as you open the Help & Info popover, signaling you've "read" the latest updates. No more lingering alerts once you're caught up.

June 25

New API Endpoint for Alert Details

We’ve added a new /alert-types API endpoint that returns detailed information for a given alert identifier, including support for multiple languages.

This fills a key gap in the API: previously, some alert metadata wasn’t available outside the UI. Now, you can fetch that context programmatically, streamlining integrations and reducing scan payload sizes.

For more information and implementation details, check out the Alert Types documentation.

June 24

Python CLI: License Attribution Generation Fixed

The Socket Python CLI now correctly generates license attributions again. A recent change in how license data is structured, alongside a new diff endpoint, had caused errors during generation.

This update:

  • Switches to the batch PURL endpoint to fetch license details
  • Replaces license_text with licenseDetails and licenseAttrib

Everything should now work as expected when pulling license metadata via the CLI.