[APPSEC-1645] [Non-Prod] Add Socket Security Tier 1 reachability scan

[ping-huang1]

Summary

• Adds Socket Security scan workflow with Tier 1 reachability analysis
• Runs daily at 2 AM UTC and can be triggered manually
• Reachability analysis can be toggled via workflow dispatch input (enabled by default)

Details

The workflow:

• Checks out the repo and sets up Python 3.12 + Node 20
• Installs Socket CLI via uv
• Runs socketcli with Tier 1 reachability flags (--reach --reach-memory-limit 16384 --reach-timeout 3600)

Required secret: SOCKET_SECURITY_API_KEY (enterprise plan) with scopes: socket-basics, uploaded-artifacts, full-scans, repo

Test plan

• After merge, manually trigger the workflow via the "Run workflow" button to confirm it runs successfully

https://webflow.atlassian.net/browse/APPSEC-1645

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​astral-sh/​setup-uv@​e4db8464a088ece1b920f60402e813ea4de65b8f
	github/​actions/​setup-python@​a26af69be951a213d495a4c3e4e4022e16d87065
	github/​actions/​setup-node@​49933ea5288caeca8642d1e84afbd3f7d6820020

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Input argument leak: github astral-sh/setup-uv exposes an input argument into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize all input arguments before using them in dangerous operations. Use parameterized commands or APIs instead of string concatenation for shell commands. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable leak: github astral-sh/setup-uv passes an environment variable into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize environment variables before using them in dangerous operations. Ensure environment variables come from trusted sources only, and use parameterized commands or APIs instead of string concatenation. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[zmcnellis]

@ping-huang1 I think my team (developer platform) was incorrectly tagged on this PR. Maybe you meant delivery loop?

[zmcnellis]

I don't have context on this PR, but at a glance this seems redundant to have SOCKET_SECURITY_API_KEY and SOCKET_SECURITY_API_TOKEN pointed to the same secret?

[ping-huang1]

Good catch. The Socket documentation mentions both env variables, however after further testing we only need SOCKET_SECURITY_API_TOKEN. I've removed the redundant one. Thanks!