Step 1

Install the Socket Security App from the GitHub Marketplace by visiting: github.com/apps/socket-security.

Step 2

Select the repositories you want to protect.

Step 3.

🥳

You’re done! There’s no step 3.

We told you this would be the easiest security product you ever installed!

Note on Merge Queues

If you're using a merge queue (such as GitHub Merge Queue or Graphite), GitHub does not send webhook events to installed apps (like Socket) when a merge queue completes. This means Socket does not automatically scan the updated default branch after a queued merge.

To ensure accurate scanning:
Add a GitHub Actions workflow to your repo that triggers a scan on every commit to your default branch. Create a file at:.github/workflows/socket-security-workflow.yml

name: socket-security-workflow
run-name: Socket Security Github Action
on:
  push:
    branches:
      - main
jobs:
  socket-security:
    permissions:
      contents: read  # This is enough to clone the repo and read files
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install Socket CLI
        run: pip install socketsecurity --upgrade
      - name: Run scan
        env:
          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
          GH_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
          COMMIT_SHA: ${{ github.sha }}  # Getting the commit SHA
        run: |
          socketcli --scm github --repo ${{ github.event.repository.name }} --branch "${{ github.ref_name }}" --default-branch --pr_number 0 --commit-sha "$COMMIT_SHA" --committer "$GITHUB_ACTOR" --commit_message "$COMMIT_MESSAGE" --target_path $GITHUB_WORKSPACE --disable-blocking

This ensures Socket stays in sync even when using merge queues.

What next?

You can always add or remove Socket from additional repositories by visiting the Socket Security app settings within GitHub.

When you install the GitHub app to your GitHub user account or organization, Socket will begin analyzing all pull requests for changes to manifest files associated with the various supported ecosystem. See Socket Ecosystem Support for information on the currently supported ecosystems and manifest files.

For each commit to the default branch with npm related dependency manifests, a project report will be generated, which lists all dependencies found in the project.

If a pull request contains a dependency change to npm or python dependency manifests that introduces any of the following issues, a comment will be created in the pull request that includes more details about the change.