Skip to content

Doug/add node and socket back into container #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 24, 2025
Merged

Doug/add node and socket back into container #11

merged 9 commits into from
Oct 24, 2025

Conversation

@dacoburn
Copy link
Collaborator

@dacoburn dacoburn commented Oct 24, 2025
edited
Loading

This PR fixes critical bugs in the Socket Basics security scanner that prevented Socket facts files from uploading to the Socket Security platform and adds support for custom SAST rules. Additionally, it significantly expands JavaScript/TypeScript security rules with comprehensive OWASP Top 10 2021 coverage.

Root Cause

  1. Socket Facts Upload Failure: The SDK fullscans.post method received incorrect path parameters - using absolute paths instead of relative filenames with proper base_path configuration.

  2. Output Path Resolution: When using relative output paths with a workspace parameter, files were created in the wrong directory.

  3. Limited SAST Flexibility: No mechanism existed for users to provide custom SAST rule directories.

  4. Outdated JavaScript Rules: Minimal rule coverage missing modern vulnerability patterns and OWASP Top 10 2021 alignment.

Fix

  1. Socket Facts Upload: Corrected SDK call to use relative filename (.socket.facts.json) with proper base_path parameter pointing to parent directory. Fixed syntax error in base_paths parameter.

  2. Path Resolution: Added logic to resolve relative output paths against workspace directory when specified.

  3. Custom SAST Rules: Added INPUT_USE_CUSTOM_SAST_RULES and INPUT_CUSTOM_SAST_RULE_PATH configuration parameters, with fallback to bundled rules for languages without custom rules.

  4. JavaScript/TypeScript Rules: Default rules have improved detection

Public Changelog

Added

  • Custom SAST rules support via INPUT_USE_CUSTOM_SAST_RULES and INPUT_CUSTOM_SAST_RULE_PATH environment variables

Fixed

  • Socket facts file upload to Socket Security platform
  • Output file path resolution with relative paths and workspace configuration

Improved

  • JavaScript scanning now detects injection attacks, authentication issues, cryptographic failures, security misconfigurations, and SSRF vulnerabilities

Checklist

  • Is PR safe to revert (yes/no)?: Yes - Reverting restores previous behavior, though Socket facts upload fix is critical for platform integration. Custom rules and enhanced JavaScript detection are additive features.

Files Modified: socket_basics.py, connectors.yaml, rules/javascript/security.yml, version.py

@dacoburn dacoburn requested a review from a team as a code owner October 24, 2025 09:26
@dacoburn dacoburn requested review from rchatrath7 and tmpvar and removed request for a team October 24, 2025 09:26
@dacoburn dacoburn merged commit 2352e54 into main Oct 24, 2025
4 checks passed
@dacoburn dacoburn deleted the doug/add-node-and-socket-back-into-container branch October 24, 2025 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdalton jdalton jdalton approved these changes

@tmpvar tmpvar Awaiting requested review from tmpvar tmpvar is a code owner automatically assigned from SocketDev/eng

@rchatrath7 rchatrath7 Awaiting requested review from rchatrath7 rchatrath7 is a code owner automatically assigned from SocketDev/eng

Assignees

No one assigned

Labels

product changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dacoburn @jdalton