Install the App
Socket is quick and easy to install.
- Takes 2 minutes to install
- Very minimal permissions
- Does not use write permissions
- Never uploads your source code
- The easiest security product you’ve ever installed! ✨
Step 1
Install the Socket Security App from the GitHub Marketplace by visiting: github.com/apps/socket-security.
Step 2
Select the repositories you want to protect.
Step 3.
🥳
You’re done! There’s no step 3.
We told you this would be the easiest security product you ever installed!
Note on Merge Queues
If you're using a merge queue (such as GitHub Merge Queue or Graphite), GitHub does not send webhook events to installed apps (like Socket) when a merge queue completes. This means Socket does not automatically scan the updated default branch after a queued merge.
To ensure accurate scanning:
Add a GitHub Actions workflow to your repo that triggers a scan on every commit to your default branch. Create a file at:.github/workflows/socket-security-workflow.yml
name: socket-security-workflow
run-name: Socket Security Github Action
on:
push:
branches:
- main
jobs:
socket-security:
permissions:
contents: read # This is enough to clone the repo and read files
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install Socket CLI
run: pip install socketsecurity --upgrade
- name: Run scan
env:
SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
COMMIT_SHA: ${{ github.sha }} # Getting the commit SHA
run: |
socketcli --scm github --repo ${{ github.event.repository.name }} --branch "${{ github.ref_name }}" --default-branch --pr_number 0 --commit-sha "$COMMIT_SHA" --committer "$GITHUB_ACTOR" --commit_message "$COMMIT_MESSAGE" --target_path $GITHUB_WORKSPACE --disable-blocking
This ensures Socket stays in sync even when using merge queues.
What next?
You can always add or remove Socket from additional repositories by visiting the Socket Security app settings within GitHub.
When you install the GitHub app to your GitHub user account or organization, Socket will begin analyzing all pull requests for changes to manifest files associated with the various supported ecosystem. See Socket Ecosystem Support for information on the currently supported ecosystems and manifest files.
For each commit to the default branch with npm related dependency manifests, a project report will be generated, which lists all dependencies found in the project.
If a pull request contains a dependency change to npm or python dependency manifests that introduces any of the following issues, a comment will be created in the pull request that includes more details about the change.
Updated 9 days ago
Feel free to read up on how you can ignore dependencies and configure Socket for GitHub: