Socket doesn't require a large documentation set to use or understand, but we do have a few points of configuration that may be useful. If you have additional questions or comments, please see our FAQ or ask on our Discord.
You can install the Socket GitHub app by visiting github.com/apps/socket-security. You can install the app to every repo in the org or to individual repos.
When you install the GitHub app to your GitHub user account or org, Socket will begin recursivly scanning any pull request activity for changes to the following dependency files:
For each head commit in a pull request containing npm related dependency files, a project report will be generated, which lists all dependencies found in the project. If the pull request contains a dependency change that introduces any of the following issues, a comment will be created in the pull request that includes more details about the change.
socket.yml
You can configure the Socket GitHub app by adding a socket.yml
file to the root of your repo.
Note: Nested socket.yml
files are not supported. The .yaml
file extension variant is not supported.
An example socket.yml
file can be seen below:
---
ignore:
- ignored-folder
- foo/bar/package.json
enabled: true
All fields are optional, and the socket.yml
file is optional.
ignore
The ignore key is an array of strings that are used to ignore folders or files.
The individual strings in the ignore
array work like .gitignore
patterns.
By default, the following patterns are always included in the ignore array by default:
node_modules
.yarn
enabled
By default, the enabled
field is set to true
. If you want the Socket GitHub app to never run on a repo and
do not have org permissions to disable GitHub access to that repo, you can add a socket.yml
file to your repo
and set enabled
to false.
beta
To opt in to new features before we roll them out to everyone, set this field to true
. Please note that beta
features may be unstable!