Organization Alerts

Introduction

Socket's Organizational Alerts feature is designed to provide comprehensive security monitoring and alerting across all repositories within an organization. This powerful tool helps you identify and address potential security risks in real-time, ensuring your software supply chain remains secure.

Overview of Organizational Alerts

Organizational Alerts in Socket provide a centralized view of security alerts detected across your organization's repositories. This feature is designed to help DevSecOps teams prioritize and manage security concerns efficiently, ensuring that critical vulnerabilities and risks are addressed promptly. This documentation will guide you through the features and functionalities of Organizational Alerts and how they can be leveraged to maintain a secure codebase.

Organizational Alerts Dashboard

Accessing Organizational Alerts

To access Organizational Alerts, navigate to the 'Alerts' section in the Socket dashboard. Here, you will find a summary of the alerts detected across all repositories, categorized by severity.

Features of Organizational Alerts

Centralized Alert Management

Organizational Alerts aggregate security alerts from all repositories within your organization, providing a comprehensive overview of potential risks. This centralized view helps streamline the process of identifying and addressing security issues.

The alerts are categorized by severity—Critical, High, Medium, and Low—enabling your team to prioritize response efforts effectively. Critical alerts, such as known malware or critical CVEs, are highlighted to ensure immediate attention.

Interactive Dashboard

The interactive dashboard displays a visual representation of alerts, making it easier to understand the distribution and severity of security issues across your repositories. You can filter alerts by repository, ecosystem, severity, category, type, and dependency to focus on specific areas of concern.

How Organizational Alerts Help DevSecOps Teams

Prioritizing Critical Issues

The ability to filter and categorize alerts by severity allows DevSecOps teams to focus on addressing the most critical security concerns first, such as known malware and critical CVEs. This ensures that the most significant risks are mitigated promptly.

Enhancing Security Posture

By utilizing the Block action for high-confidence and severe issues, organizations can prevent potentially harmful code from being merged into the codebase. This proactive approach helps maintain a robust security posture.

Streamlining Alert Management

The interactive dashboard and comprehensive alert management features streamline the process of identifying, triaging, and addressing security issues. This helps teams stay organized and ensures that no critical alerts are overlooked.

Visual Representation of Organizational Alerts

Organizational Alerts Dashboard

The dashboard provides a visual representation of the alerts detected within the default branch of your organization's repositories. You can customize your Security Policy to specify which alert types your organization should be notified about. Ignored alert types are hidden by default from the alert table view.

Populating Organizational Alerts

Organizational Alerts are an essential feature for monitoring the security and integrity of your projects. When enabling Socket, it is important to note that scans for all repositories do not occur immediately. Socket currently does not initiate a scan until there is a commit or a pull request (PR) containing manifest files that Socket supports. For instance, if there is a PR where files like package-lock.json, requirements.txt, or other supported manifest files are present, a scan will automatically be performed.

To have results show up for the repositories, you need to make a new commit or PR with any supported manifest files. This action will trigger scans to be populated for the repositories.

Currently, Org Alerts are not populated unless a PR is merged into the default branch, which is configured in GitHub. Once this happens, it can take 15 minutes to an hour for the Org Alerts to populate.

Please note the following conditions under which Organizational Alerts are populated:

PR Merges into the Default Branch

Organizational Alerts will only populate once a pull request (PR) has been merged into the default branch. This ensures that alerts are relevant to the current state of your codebase.

Full Scan API Usage

Alternatively, Organizational Alerts can be populated using the Full Scan API. For this to happen, the scan must be marked with the parameters make_default_branch and set_as_pending_head. This approach allows for more immediate and comprehensive scanning results to be reflected in your Organizational Alerts.

By adhering to these conditions, you can ensure that your Organizational Alerts provide the most accurate and up-to-date information regarding the security status of your organization’s projects.

Severity Categories

Organizational Alerts are categorized into four severity levels to help you prioritize response efforts:

  • Critical: Immediate action required to prevent significant security risks.
  • High: Prompt attention required for potential serious issues.
  • Medium: Regular monitoring recommended for known issues.
  • Low: Informational alerts that do not require immediate action.

Managing Alerts

Socket provides various alert actions to manage alerts effectively. These actions include: Block, Warn, Monitor, and Ignore.

  • Block 🚫: Immediately block the package from use. Critical alerts like known malware and potential typo squats should be blocked to prevent security breaches.
  • Warn ⚠️: Notify the team to review the package. High-risk alerts like telemetry and protestware are flagged for review.
  • Monitor 👁️: Track the package over time without immediate action. Medium risk alerts such as environment variable access and filesystem access are monitored for changes.
  • Ignore ❌: Ignore the alert if it is deemed low priority or informational.

Example Alerts and Actions

These actions allow you to tailor the handling of each alert type according to its severity and impact on your project.

Block 🚫

AlertCategorySeverityActionLink
Known MalwareSupply Chain RiskCriticalBlock immediately. Notify the team.Learn more
Potential Typo SquatSupply Chain RiskCriticalVerify and block. Notify the team.Learn more

Warn ⚠️

AlertCategorySeverityActionLink
TelemetrySupply Chain RiskHighReview data tracking. Notify the team.Learn more
ProtestwareSupply Chain RiskHighExamine and replace if necessary.Learn more

Monitor 👁️

AlertCategorySeverityActionLink
Environment Variable AccessSupply Chain RiskMediumMonitor and ensure safe usage.Learn more
Filesystem AccessSupply Chain RiskMediumMonitor for unusual activity.Learn more

Ignore ❌

AlertCategorySeverityActionLink
Non-existent AuthorSupply Chain RiskMediumInvestigate and monitor usage.Learn more
Minified CodeQualityLowReview source if possible.Learn more

Customizing Security Policies

Organizations can customize their security policies to tailor alert actions according to their specific needs. This can be done through the dashboard for granular control at the repository level.

Using the Dashboard

To customize your security policy using the dashboard:

  1. Navigate to the 'Security Policy' section.
  2. Select the alerts you wish to modify.
  3. Choose the desired action (Block, Warn, Monitor, Ignore).

Example of a Socket Dependency Overview Comment

This is an example of a Socket Dependency Overview comment. The dependency overview comments appear where there is either a new dependency, an updated dependency that adds new capabilities, or there are removed dependencies. This type of comment is an informational type to provide additional insight into what your dependencies are adding in. For example, you might want to look at why a simple parser might be adding in network or shell capabilities when you aren't expecting it. You can follow the links for the capabilities and we try to highlight right in the code where this detection was. Socket's goal is to do the scanning and evaluation of the packages for you so that you don't need to read every line of code for direct or transitive dependencies.

Example of a Socket Security Issue Comment

This screenshot is of a Socket Security Issue comment. When there are items that the Security Team has added to the Warn or Block security policies within Socket it will trigger these types of comments. Warn Alerts will comment on the PR but will not fail the Socket Security: Pull Request Alerts check. Block Alerts will comment on the PR and WILL fail the Socket Github check. If there are branch protection rules configured for the repository that either all checks must pass or specifically the Socket Pull Request Alert then the merge would be blocked. If this branch protection rule is not configured then it is possible to still merge.

Conclusion

Socket's Organizational Alerts provide a robust framework for securing your software supply chain. By leveraging the power of real-time alerts, severity-based categorization, and customizable security policies, you can proactively manage risks and ensure the integrity of your codebase.

For more detailed information, visit the Socket Blog on Organizational Alerts.


This documentation is designed to help you navigate and utilize Socket's Organizational Alerts effectively. Should you have any further questions or need assistance, please feel free to contact our support team.