Security Policy (Default Enabled Alerts)

These are the default set of Enabled Alerts

Introduction

Socket's security policy is designed to help organizations manage and mitigate supply chain risks by automatically blocking or warning about potential threats. By default, Socket enables a set of alerts that are critical to maintaining the integrity and security of your codebase. These default alerts are carefully selected to minimize noise and ensure that only significant issues are brought to attention.

Disabling the default issues Socket enables is not recommended without careful consideration.

Security Policy

Default Enabled Alerts

Socket by default will show alerts that are likely not noise. The following are the default enabled alerts categorized by action "Block":

Block 🚫

AlertAlert InfoCategorySeverityActionLink
Install ScriptsInstall scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.Supply Chain RiskHighBlock the package immediately. Notify the team and stakeholders. Investigate usage in the codebase and remove or replace the package.Link
Bin Script Shell InjectionThis package re-exports a well-known shell command via an npm bin script. This is possibly a supply chain risk.Supply Chain RiskHighReview the shell script for any signs of injection vulnerabilities. Block the package temporarily until a thorough review is conducted.Link
Unresolved RequirePackage imports a file which does not exist and may not work as is.QualityCriticalBlock the package. Notify the team to review and resolve the issue.Link
HTTP DependencyContains a dependency which resolves to a remote HTTP URL which could be used to inject untrusted code and reduce overall reliability.Supply Chain RiskCriticalBlock the package immediately. Review the dependency to ensure its integrity.Link
Git DependencyContains a dependency which resolves to a GitHub URL. Dependencies fetched from GitHub specifiers are not immutable.Supply Chain RiskCriticalBlock the package. Ensure dependencies are fetched from reliable sources or pinned to specific versions.Link
Possible Typo Squat AttackPackage name is similar to other popular packages and may not be the package you want.Supply Chain RiskCriticalBlock the package. Verify the package name and replace if confirmed as a typo squat.Link
Known MalwareThis package is malware. We have asked the package registry to remove it.Supply Chain RiskCriticalBlock the package immediately. Investigate and remove or replace the package.Link
TelemetryThis package contains telemetry which tracks how it is used.Supply Chain RiskHighBlock the package. Review the data being tracked and ensure compliance with privacy policies.Link
Protestware or Potentially Unwanted BehaviorThis package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.Supply Chain RiskHighBlock the package. Examine functionality and replace if behavior is confirmed.Link
AI Detected Potential MalwareAI has identified this package as malware. This is a strong signal that the package may be malicious.Supply Chain RiskHighBlock the package temporarily. Conduct a manual code review and confirm with the security team.Link

Legend

  • Block 🚫: Immediate action is required. The package poses a significant security risk and should be blocked from use.
  • Warn ⚠️: Prompt attention is required. The package has potential issues that should be reviewed and addressed.
  • Monitor πŸ‘οΈ: Regular monitoring is required. The package has known issues that should be tracked over time.
  • Ignore ❌: Low priority or informational alerts. The package issues can be noted but do not require immediate action.
Alert ActionShows up in DashboardDevelopers see it (e.g. GitHub comment, CLI prints a warning)Developers blocked (GitHub PR fails, CLI errors)
Ignore❌❌❌
Monitorβœ…βŒβŒ
Warnβœ…βœ…βŒ
Blockβœ…βœ…βœ…

Customizing Security Policies

Organizations can adjust these default settings to meet their specific needs using the Socket dashboard. For more granular per-repository settings, the socket.yml file can be used to customize the security policies.

See: socket.yml.

Conclusion

Maintaining the default set of enabled alerts ensures your codebase is protected against common and critical security risks. Customizing the alerts should be done with caution to avoid missing potential threats. For detailed instructions on customizing your security policies and managing alerts, contact the Socket Customer Success team.

For more information, visit the Socket Documentation.