Reachability Analysis

Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.

Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.

Key features

  • Based on top-tier research.
  • Scans direct and indirect dependencies.
  • Works with any CI platform. No complex configurations. No agents required.

Before Socket = Overwhelming Noise

Traditional SCA tools do not distinguish between exploitable and unexploitable vulnerabilities. As a consequence, more than 80% of the vulnerabilities that developers are remediating are irrelevant and can be safely ignored.

After Socket = Clean Signal

Socket employs Reachability Analysis to eliminate more than 80% false positives. As a consequence, developers only need to remediate the remaining few vulnerabilities that are relevant.

Reachability Maturity Levels

Socket language ecosystems are classified into three maturity levels for Reachability Analysis.

The differences are as follows:

Tier 3 (Module level reachability)Tier 2 (Pre-computed reachability)Tier 1 (Function level reachability)
False positive reduction
(varies between codebases)
Eliminate 10-20% false positivesEliminate 60% false positives Eliminate 80% false positives
Direct vs. TransitiveIdentify reachable vulnerabilities in transitive dependencies.Identify reachable vulnerabilities in transitive dependencies.Identify reachable vulnerabilities in both direct and transitive dependencies.
Reachability• Eliminates unreachable vulnerabilities at the module and file level.

• Scans all dependency source code to determine which modules are imported/required.
• Eliminates unreachable vulnerabilities at a function level.• Eliminates unreachable vulnerabilities at a source code level.

• Pinpoint the exact locations in your code affected by reachable vulnerabilities.
Works out of the boxYes. Works via all Socket integrations (API, CLI, Socket for GitHub, etc.)Yes. Works via all Socket integrations (API, CLI, Socket for GitHub, etc.)No, but easy to setup. Need to add a CLI command or GitHub Action to the repository.
AvailabilityAvailable for customers on the Free, Team, and Enterprise plans.Available for customers on the Free, Team, and Enterprise plans.Available for customers on the Enterprise plan.

Reachability ecosystem support

EcosytemPackage managerTier 3 ReachabilityTier 2 ReachabilityTier 1 Reachability
JavaScript and TypeScriptnpm, yarn, pnpm🚧 In Progress (Q2)⏳ Planned (Q3)
Pythonuv, pip, Poetry, Anaconda🚧 In Progress (Q2)⏳ Planned (Q3)
GoGo Modules🚧 In Progress (Q2)⏳ Planned (Q3)
JavaMaven, Gradle🚧 In Progress (Q2)⏳ Planned (Q3)
RubyBundler🚧 In Progress (Q2)⏳ Planned (Q3)
.NET (C#, F#, Visual Basic)Nuget, Paket🚧 In Progress (Q2)⏳ Planned (Q3)
Scalasbt, Maven, Gradle🚧 In Progress (Q2)⏳ Planned (Q3)
KotlinMaven, Gradle🚧 In Progress (Q2)⏳ Planned (Q3)