Documentation

Scans

Suggest Edits

Introduction

The **Scans section in Socket provides a centralized view of all scans run within your organization across GitHub, API, and CLI sources. Each scan captures the state of your repositories and surfaces alerts related to supply chain risks, vulnerabilities, license violations, and more.

1. Accessing Scans

  • Navigate to the Scans section from the left sidebar of the Socket dashboard.
  • The main Scans page lists all completed scans across repositories.

2. Scan List Details

Each row in the scan list includes:

  • Ran At: Timestamp of when the scan was performed.
  • Repository: Repository name associated with the scan.
  • Branch: The branch that was scanned.
  • Pull Request: If applicable, PR identifier linked to the scan.
  • Commit: The commit that triggered the scan.

3. Scan Details

Clicking on a scan entry opens the detailed view. Tabs include:

  • Alerts: Shows categorized alerts.
  • Dependencies: Lists packages analyzed.
  • Files: Displays scanned files and metadata.

Example:

4. Understanding Alerts

  • Alerts are categorized based on severity, with the following levels: Critical, High, Medium, and Low.
  • Alert Priority: Socket’s internal signal about how relevant this alert is to the org (based on reachability, triage, etc).
  • Alert Type: e.g. Known Malware, Critical CVE, Supply Chain Risk, etc.
  • Scope: e.g. Direct vs Transitive dependency.

Example of Alerts:

5. Dependency Analysis

The Dependencies tab provides a comprehensive list of all dependencies associated with the scan, highlighting potential issues such as:

  • Scope: Direct vs transitive.
  • Version detected.
  • Associated alert counts and types.

Example:

6. Files

The Files tab provides a list of files used within the repository. You can select individual files to view the contents.

Example:

Files

7. Artifact Details

Each artifact in the scan is detailed with information such as:

  • Ecosystem: The environment (e.g., npm, PyPI) the artifact belongs to.
  • Artifact Name: The specific name and version of the artifact.
  • Category: The type of risk associated (e.g., Supply chain risk).
  • Scores: Various metrics such as supply chain security, quality, maintenance, vulnerabilities, and license compliance.

Example:

By utilizing the Scans feature in Socket, you can maintain a secure and efficient development workflow, ensuring all dependencies and components are continuously monitored and evaluated for potential risks.

Updated about 1 month ago