Socket CLI FAQ

Does this run locally on my computer?

The CLI itself runs locally, but it works by uploading your dependency manifest files to Socket for analysis.

  • Socket is designed to work without the need to analyze, upload, or share your source code.
  • The only data we collect from your repository is the package.json file and associated lockfiles such as package-lock.json and yarn.lock, which we call the dependency snapshot.
  • We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.

If so, why is a Github account required for this to function?

The GitHub account requirement is just a limitation of our account system at the moment. Basically, all reports that you generate need to be tied to a Socket organization and, at the moment, the only way to create a Socket organization is by installing our GitHub integration into a GitHub organization.

We plan to lift this limitation in the future. You can track this roadmap item in our public feedback tracker here.

Can I look at reports locally on the computer?

At the moment the only way to view reports locally is to view them as JSON. You can run socket report view REPORT_ID --json to access a report.

Alternatively, to create and view a report in a single command, you can use socket report create . REPORT_ID --view --json. This command has the advantage that it will wait until the report is finished generating before it outputs the JSON and exits the command.

When I run a report locally, the execution is immediate but the report does not load in the UI. Is there a background job running that I am waiting for before the report is ready?

Yes, when using socket report create (without the --view option) the report ID is created and returned to you right away. The report is actually generated lazily when you go to view it.