What permissions does Socket for GitHub require?

Socket is designed to work without the need to analyze, upload, or share your source code.

  • The only data we collect from your repository is the package.json file and associated lockfiles such as package-lock.json and yarn.lock, which we call the dependency snapshot.

  • We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.

To support mono-repos and projects which have multiple manifest files (e.g. package.json) located in nested folders, e.g. foo/package.json or bar/package.json, Socket for GitHub requests read access to all code in the repository. We're currently working with GitHub to improve their permissions model so we can reduce the required permissions to just read access to a glob pattern like **/package.json.