socket-dev-exporter

A simple Prometheus exporter to expose Socket.dev scores for the latest versions of @celo NPM packages written in go.

This exporter exposes metrics in port 9101, path /metrics, with the following format:

# HELP socket_score Shows socket.dev packages scores
# TYPE socket_score gauge
socket_score{package="@celo/0x-contracts",score="license",version="2.1.2-0.0"} 0.8629757195290285
socket_score{package="@celo/0x-contracts",score="maintenance",version="2.1.2-0.0"} 0.6968453019359488
socket_score{package="@celo/0x-contracts",score="miscellaneous",version="2.1.2-0.0"} 0
socket_score{package="@celo/0x-contracts",score="quality",version="2.1.2-0.0"} 0.6410426253533731
socket_score{package="@celo/0x-contracts",score="supplychainrisk",version="2.1.2-0.0"} 0.39592272547306173
socket_score{package="@celo/0x-contracts",score="vulnerability",version="2.1.2-0.0"} 0.25
# HELP npm_download_count NPM package download count for a given day
# TYPE npm_download_count gauge
npm_download_count{date="2024-02-18",package="@celo/0x-contracts"} 180
...

Configuration

3 environmental variables are available to configure this exporter:

• API_TOKEN (REQUIRED): A Socket.dev API token.
• LOG_LEVEL: The Logrus log level. If not set, defaults to info.
• PERIOD: The period to refresh the Socket.dev scores, in hours. If not set, defaults to 24.
• TIMEOUT: The timeout for requests to Socket.dev, in seconds. If not set, defaults to 15.
• RETRIES: The number of retries for requests to Socket.dev. If not set, defaults to 5.
• MAX_PACKAGES: The maximum number of packages to fetch metrics for. If not set, limit is removed and all packages processed.

Tests

Tests can be found in main_tests.go.

CI/CD

The CI/CD pipeline is defined as GitHub Action workflow with the following jobs:

• With each PR, commit to main or release the code will be built and tested.
• With each PR, a Docker image will be pushed to us-west1-docker.pkg.dev/devopsre/dev-images/socket-exporter with tag test.
• With each commit to main, a Docker image will be pushed to us-west1-docker.pkg.dev/devopsre/socket-exporter/socket-exporter with tag latest.
• With each release, a Docker image will be pushed to us-west1-docker.pkg.dev/devopsre/socket-exporter/socket-exporter with the same tag as the release tag.

The Dockerfile for building the Docker image can be found here.