Skip to content

GitHub App

Socket Security

GitHub App

Socket Security

Socket is in beta. This GitHub App currently supports typosquat detection only. Additional detections will become available in May. Stay tuned!

Socket protects your app from insecure dependencies lurking in your open source supply chain.

Open source code makes up 90% of most codebases. It is critical to manage it effectively to reduce your security risk.

Detect and block open source supply chain attacks

Security teams depend on Socket to prevent malicious open source dependencies from infiltrating their apps.

Socket dramatically improves your open source security posture by detecting and blocking the attacks you don't expect – malware, hidden code, typo-squatting, and more – which aren't caught by CVE vulnerability scanners.

  • Block malware – Block emerging malware threats

  • Block typo-squatting – Block malicious packages that differ in name by only a few characters, and recommend the correct package

  • Detect hidden code – Detect obfuscated, minified, or hidden code

  • Detect privileged API usage – Report when a dependency update introduces new risky API usage – filesystem, network, child_process, eval()

  • Detect suspicious updates – Sudden inclusion of privileged APIs in patch or minor releases

Socket currently supports 60 detections in 5 categories: supply chain risk, quality, maintenance, known vulnerabilities, and license problems.

Take charge of your dependency health

Socket improves security outcomes and reduces work for security teams by surfacing actionable security information directly inline in GitHub so developers are empowered to make better decisions.

  • Five minute deployment – The easiest security product you'll ever deploy in your organization. Just install a GitHub app and you're done.

  • Provide security feedback directly on PRs – Empower developers to solve security issues before they're deployed into production.

  • Automated security – Spend security team resources auditing the highest-impact dependencies, instead of all or nothing.

Socket detects what vulnerability scanners can’t

It's 2022 and it's no longer sufficient to scan for known vulnerabilities (CVEs) and stop there. And yet, that's what the leading "supply chain security" products do, leaving you vulnerable.

It can take weeks or months for a CVE to be discovered, reported, and detected by tools. But in today's culture of fast development, a malicious dependency can be updated, merged, and running in production in days or even sometimes hours.

Defenders need a new approach to address emerging threats from malicious dependencies:

  • Maintainer intentionally added malware – Rogue maintainer sabotaged his own open source package with 100M downloads/month, affecting companies such as Amazon AWS

  • Package hijacked and poisoned w/ cryptominers and password-stealing malware – Deliberate malware introduced into multiple packages with 30M downloads/month each

  • Package hijacked to add backdoor targeting a specific organization – Obfuscated malware added to a dependency which targeted a single company, went undetected for over a week, and made it into their production build

  • NPM package manager allowed anyone to publish new versions of any package – Attackers could publish new versions of any NPM package without authorization for multiple years

Using third-party dependencies without proper vetting leaves you open to hacking, breaches, and assorted security misfortune.

Socket is in beta. This GitHub App currently supports typosquat detection only. The remaining detections will become available within the GitHub App by end of April.

Developer

Socket Security is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

Report abuse