Customizable Security Policies

Socket has introduced three new customizable default security policies to provide greater flexibility in managing dependency security: Low Noise, Default, and Higher Noise.

These policies leverage Socket's four alert actionsβ€”Block, Warn, Monitor, and Ignoreβ€”allowing teams to tailor their security measures according to their specific needs.

New Security Policies

1. Low Noise (Traditional SCA)

  • Focus: CVEs and malicious dependencies.
  • Actions:
    • Block known malicious dependencies.
    • Warn developers about critical CVEs.
    • Monitor all other CVEs.

2. Default (Recommended for Most Teams)

  • Focus: Balances robust security with minimized disruption.
  • Actions:
    • Block known malicious dependencies.
    • Warn for critical CVEs, potential typosquats, and protestware.
    • Monitor a wider range of potential issues.

3. Higher Noise (For More Engaged Teams)

  • Focus: Designed for teams with active security vetting.
  • Actions:
    • Block dependencies with critical CVEs or malicious intent.
    • Warn developers for a wider range of potential issues.
    • Monitor extensive quality and maintenance issues.

Policy Configurations

  • Inherit: Adopts actions specified in the chosen policy (Low Noise, Default, Higher Noise), allowing for automatic updates with policy changes.
  • Explicit Setting: Remains constant regardless of policy changes, offering tailored customization.

Detailed Breakdown of Default Alert Actions

The table below outlines the alert types and their corresponding actions under each security policy:

Alert TypeLow Noise (SCA)DefaultHigher Noise
Known Malware🚫🚫🚫
Critical CVEβ—β—πŸš«
Git Dependencyβž–β—πŸš«
GitHub Dependencyβž–β—πŸš«
HTTP Dependencyβž–β—πŸš«
Possible Typosquat Attackβž–β—β—
Protestware/Troll Packageβž–β—β—
Obfuscated Fileβž–β—β—
Telemetryβž–πŸ‘οΈβ—
Unpublished Packageβž–πŸ‘οΈβ—
Unpopular Packageβž–πŸ‘οΈβ—
Unstable Ownershipβž–πŸ‘οΈβ—
Deprecatedβž–πŸ‘οΈβ—
Shrinkwrapβž–πŸ‘οΈβ—
High CVEπŸ‘οΈπŸ‘οΈβ—
Medium CVEπŸ‘οΈπŸ‘οΈπŸ‘οΈ
Low CVEπŸ‘οΈπŸ‘οΈπŸ‘οΈ
Install Scriptsβž–βž–πŸ‘οΈ
Unmaintainedβž–βž–πŸ‘οΈ
Potential Vulnerabilityβž–βž–πŸ‘οΈ
AI-Detected Potential Malwareβž–βž–πŸ‘οΈ

Alert Actions

Alert ActionShows up in DashboardDevelopers see it (e.g., GitHub comment, CLI prints a warning)Developers blocked (GitHub PR fails, CLI errors)
Block πŸš«βœ…βœ…βœ…
Warn β—βœ…βœ…βŒ
Monitor πŸ‘οΈβœ…βŒβŒ
Ignore βž–βŒβŒβŒ

Legend

  • Block 🚫: This action will fail the Socket CI/CD check, preventing the merge or deployment process until the issue is resolved. All related alerts will appear in the dashboard, developers will be notified, and further actions will be blocked.
  • Warn ❗: This action indicates a potential issue that should be reviewed. It will appear in the dashboard and notify developers through comments or warnings, but it will not block the development process.
  • Monitor πŸ‘οΈ: This action is used for tracking alerts that require monitoring over time. Alerts will be visible in the dashboard, but no notifications will be sent to developers, and it won't block any processes.
  • Ignore βž–: This action is set for low-priority alerts or informational notifications. The alerts will not show up in the dashboard, and there will be no notifications or blocks applied.

Note: all other of our supported alert types are set to be ignored in the three new policies and will have to be enabled explicitly.

Changes in the New Default Policy

  • CVE Handling: Increased visibility for critical to low CVEs.
  • Supply Chain Risks: Adjusted alert actions to minimize unnecessary disruptions.
  • Quality and Maintenance: Expanded monitoring for potential issues like deprecated or unmaintained packages.

Action Steps for Organizations

  1. Review Changes: Understand how the new default policy affects your organization.
  2. Lock In Preferences: Set explicit actions for critical alerts to maintain current settings.
  3. Switch Between Policies: Choose between Low Noise, Default, or Higher Noise based on your team’s needs.

Transition to New Policies

  • Transition Period (August 14 - August 28, 2024): Organizations can review changes and lock in existing settings if needed.
  • New Policies Take Effect (August 28, 2024): Automatic update to the new default policy, with options to switch between the three new policies.

Socket’s update is designed to enhance security measures while providing flexibility and reducing alert fatigue. If you have any questions or need assistance, please reach out to Socket support.

For more detailed information on the Socket API and alert actions, visit the Socket Documentation.