Reachability Analysis
Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.
Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter.
Key features
- Based on top-tier research.
- Scans direct and indirect dependencies.
- Works with any CI platform. No complex configurations. No agents required.
Before Socket = Overwhelming Noise
Traditional SCA tools do not distinguish between exploitable and unexploitable vulnerabilities. As a consequence, more than 80% of the vulnerabilities that developers are remediating are irrelevant and can be safely ignored.
After Socket = Clean Signal
Socket employs Reachability Analysis to eliminate more than 80% false positives. As a consequence, developers only need to remediate the remaining few vulnerabilities that are relevant.
Reachability Maturity Levels
Socket language ecosystems are classified into three maturity levels for Reachability Analysis.
The differences are as follows:
| Tier 3 (Module level reachability) | Tier 2 (Pre-computed reachability) | Tier 1 (Function level reachability) | |
|---|---|---|---|
| False positive reduction (varies between codebases) | Eliminate 10-20% false positives | Eliminate 60% false positives | Eliminate 80% false positives |
| Direct vs. Transitive | Identify reachable vulnerabilities in transitive dependencies. | Identify reachable vulnerabilities in transitive dependencies. | Identify reachable vulnerabilities in both direct and transitive dependencies. |
| Reachability | • Eliminates unreachable vulnerabilities at the module and file level. • Scans all dependency source code to determine which modules are imported/required. | • Eliminates unreachable vulnerabilities at a function level. | • Eliminates unreachable vulnerabilities at a source code level. • Pinpoint the exact locations in your code affected by reachable vulnerabilities. |
| Works out of the box | Yes. Works via all Socket integrations (API, CLI, Socket for GitHub, etc.) | Yes. Works via all Socket integrations (API, CLI, Socket for GitHub, etc.) | No, but easy to setup. Need to add a CLI command or GitHub Action to the repository. |
| Availability | Available for customers on the Free, Team, and Enterprise plans. | Available for customers on the Free, Team, and Enterprise plans. | Available for customers on the Enterprise plan. |
Reachability ecosystem support
| Ecosytem | Package manager | Tier 3 Reachability | Tier 2 Reachability | Tier 1 Reachability |
|---|---|---|---|---|
| JavaScript and TypeScript | npm, yarn, pnpm | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| Python | uv, pip, Poetry, Anaconda | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| Go | Go Modules | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| Java | Maven, Gradle | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| Ruby | Bundler | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| .NET (C#, F#, Visual Basic) | Nuget, Paket | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| Scala | sbt, Maven, Gradle | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
| Kotlin | Maven, Gradle | ✅ | 🚧 In Progress (Q2) | ⏳ Planned (Q3) |
Updated 7 days ago