The CLI itself runs locally, but it works by uploading your dependency manifest files to Socket for analysis.
- Socket is designed to work without the need to analyze, upload, or share your source code.
- The only data we collect from your repository is the
package.jsonfile and associated lockfiles such as
yarn.lock, which we call the dependency snapshot.
- We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.
The GitHub account requirement is just a limitation of our account system at the moment. Basically, all reports that you generate need to be tied to a Socket organization and, at the moment, the only way to create a Socket organization is by installing our GitHub integration into a GitHub organization.
We plan to lift this limitation in the future. You can track this roadmap item in our public feedback tracker here.
At the moment the only way to view reports locally is to view them as JSON. You can run
socket report view REPORT_ID --json to access a report.
Alternatively, to create and view a report in a single command, you can use
socket report create . REPORT_ID --view --json. This command has the advantage that it will wait until the report is finished generating before it outputs the JSON and exits the command.
When I run a report locally, the execution is immediate but the report does not load in the UI. Is there a background job running that I am waiting for before the report is ready?
Yes, when using
socket report create (without the
--view option) the report ID is created and returned to you right away. The report is actually generated lazily when you go to view it.
Updated 7 months ago