Big update!Announcing Socket for GitHub 1.0. Learn more
Log in

Socket Docs

Socket doesn't require a large documentation set to use or understand, but we do have a few points of configuration that may be useful. If you have additional questions or comments, please see our FAQ or ask on our Discord.

GitHub App

You can install the Socket GitHub app by visiting You can install the app to every repo in the org or to individual repos.

When you install the GitHub app to your GitHub user account or org, Socket will begin recursivly scanning any pull request activity for changes to the following dependency files:

For each head commit in a pull request containing npm related dependency files, a project report will be generated, which lists all dependencies found in the project. If the pull request contains a dependency change that introduces any of the following issues, a comment will be created in the pull request that includes more details about the change.


You can configure the Socket GitHub app by adding a socket.yml file to the root of your repo. Note: Nested socket.yml files are not supported. The .yaml file extension variant is not supported.

An example socket.yml file can be seen below:

  - ignored-folder
  - foo/bar/package.json
# enable/disable the GitHub app entirely
enabled: true
# enable/disable GitHub app pull request alert checks
pullRequestAlertsEnabled: true
# enable/disable Github app project report checks
projectReportsEnabled: true
# beta opt in field
beta: false

All fields are optional, and the socket.yml file is optional.


The ignore key is an array of strings that are used to ignore folders or files. The individual strings in the ignore array work like .gitignore patterns. By default, the following patterns are always included in the ignore array by default:

  • node_modules
  • .yarn


Default: true. If you want the Socket GitHub app to never run on a repo and do not have org permissions to disable GitHub access to that repo, you can add a socket.yml file to your repo and set enabled to false. Setting enabled to false will override other settings in the socket.yml associated with the GitHub app.


Default: true. The pullRequestAlertsEnabled field can be used to individually disable pull request alerts check runs and pull request comments generated by the GitHub app. The enabled field must be set to true for this field to have any effect.


Default: true. The projectReportsEnabled field can be used to individually disable project reports check runs for commits from being generated. The enabled field must be set to true for this field to have any effect.


Default: false. To opt in to new features before we roll them out to everyone, set this field to true. Please note that beta features may be unstable!



Subscribe to our newsletter

Get open source security insights delivered straight into your inbox. Be the first to learn about new features and product updates.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc