Socket Permissions

Socket is designed to work without the need to analyze, upload, or share your source code.

The only files we collect from your repository are dependency manifests, lockfiles, and related configuration files — collectively called the dependency snapshot. We use the dependency snapshot to determine the packages used by your repository, perform our open source risk analysis, and produce a report.
We never read, collect, or analyze your source code. Although the GitHub App requests read and write access to repository contents, this is solely because GitHub's permissions model does not support granting access to specific file patterns and because Socket needs write access to create Socket Patches in pull requests. We use read access only to retrieve the file tree listing (names and paths) and then download only the specific dependency manifest, lockfile, and related configuration file types listed below. All other files are filtered out before any content is fetched. Socket Patches are based on dependency data, not your source code; write access is used to create pull requests that present patch changes for review.

GitHub App permissions

Socket for GitHub requests the following permissions:

Repository permissions

Permission	Access	Why Socket needs it
Checks	Read and write	Create and update Socket check runs on commits and pull requests.
Contents	Read and write	Read dependency manifests, lockfiles, and related configuration files for analysis. Write access is required to create pull requests that present Socket Patch changes for review.
Issues	Read	Read pull request bot commands in comments and report Socket results in pull request comment threads.
Merge queues	Read	Read merge queue information so Socket can report results for merge queue events.
Metadata	Read	Required by GitHub for all GitHub Apps. Used to identify repositories and basic repository metadata.
Pull requests	Read and write	Read pull request metadata and update pull requests with Socket results. Write access is required to open or update pull requests that present Socket Patch changes for review.

Organization permissions

Permission	Access	Why Socket needs it
Members	Read	Read organization membership information for account and organization access workflows.

Account permissions

Permission	Access	Why Socket needs it
Email addresses	Read	Read email addresses associated with a GitHub account for account identification and access workflows.

Enterprise permissions

Socket for GitHub does not request any enterprise permissions.

Files collected by ecosystem

Ecosystem	Files
npm	`package.json`, `package-lock.json`, `npm-shrinkwrap.json`, `yarn.lock`, `pnpm-lock.yaml`/`.yml`, `pnpm-workspace.yaml`/`.yml`, `rush.json`
Python (PyPI)	`pyproject.toml`, `poetry.lock`, `uv.lock`, `pylock.toml`/`pylock..toml`, `Pipfile`, `Pipfile.lock`, `setup.py`, `PKG-INFO`, `METADATA`, `requirements.frozen`, `requirements.bazel.txt`, `requirements.lock`, `requirements.bazel.lock`, `requirements.txt` (and variants like `dev-requirements.txt`, `requirements/.txt`)
Java (Maven/Gradle)	`pom`, `pom.xml`, `-.pom`, `-.pom.xml`, `.gradle`, `.gradle.kts`, `gradle.lockfile`, `.mvn/maven.config`, `libs.versions.toml`, `build.sbt`, `ivy.xml`, `project.clj`, `Buildfile`, `maven_install.json`, `*_maven_install.json`
Go	`go.mod`, `go.sum`
Ruby (RubyGems)	`Gemfile`, `Gemfile.lock`
Rust (Cargo)	`Cargo.toml`, `Cargo.lock`
.NET (NuGet)	`.sln`, `.proj`, `.nuspec`, `.props`, `.targets`, `.projitems`, `packages.config`, `packages..config`, `packages.lock.json`
PHP (Composer)	`composer.json`, `composer.lock`
Swift	`Package.swift` (including version-specific variants like `[email protected]`), `Package.resolved`
Chrome extensions	`manifest.json`
SBOM formats	CycloneDX (`bom.json`, `bom.xml`, `cdx.json`, `cdx.xml`, `cyclonedx.json`, `cyclonedx.xml`, and variants like `-cdx.json` or `.cyclonedx.xml`), SPDX (`.spdx.json`, `-spdx.json`)
GitHub Actions	`.github/workflows/*.yml`/`.yaml`, `.github/workflow.yml`/`.yaml`, `action.yml`/`.yaml`
Socket	`*.socket.facts.json`