Install the GitHub App

Introduction to Socket for GitHub

Socket watches for changes to “package manifest” files such as package.json, package-lock.json, and yarn.lock. Whenever a new dependency is added in a pull request, Socket analyzes the package's behavior and leaves a comment if it is a security risk.

Socket for GitHub doesn't require a large documentation set to use or understand, but we do have a few points of configuration that may be useful. If you have additional questions or comments, please see our FAQ.

Install Socket for GitHub

You can install the Socket GitHub app by visiting

You either install it to all your repos or to subset selected by you.

When you install the GitHub app to your GitHub user account or org, Socket will begin recursively scanning any pull request activity for changes to the following dependency files:

For each head commit in a pull request containing npm related dependency files, a project report will be generated, which lists all dependencies found in the project.

If the pull request contains a dependency change that introduces any of the following issues, a comment will be created in the pull request that includes more details about the change.

What’s Next

Feel free to read up on how you can ignore dependencies and configure Socket for GitHub:

Did this page help you?