Optional Socket GitHub App configuration file

You can optionally configure the Socket GitHub app and CLI by adding a socket.yml file to the root of your repo.

# top level version field is required
version: 2

  - ignored-folder
  - foo/bar/package.json

  unresolvedRequire: false

  enabled: true # enable/disable the GitHub app entirely
  pullRequestAlertsEnabled: true # enable/disable GitHub app pull request alert checks
  dependencyOverviewEnabled: true # enable/disable GitHub app dependency overview comments in pull request alerts.
  projectReportsEnabled: true # enable/disable Github app project report checks
  ignoreUsers: ["aBotOnGitHub"]



The socket.yml file is only supported in the root of your repo and with no other file extensions than the .yml one.


All fields listed here are optional.


The projectIgnorePaths key is an array of strings that are used to ignore folders or files.

The individual strings in the projectIgnorePaths array work like .gitignore patterns.

The following patterns are always included in the ignore array by default:

  • node_modules
  • .yarn


issueRules is a map of issue names from Socket's Issues page that allows you to enable or disable issue alerts in your pull requests. Issues are identified by the url slug of the corresponding issue page. The default issues map looks like this:

  didYouMean: true
  installScripts: true
  telemetry: true
  troll: true
  malware: true
  hasNativeCode: true
  shellScriptOverride: true
  gitDependency: true
  httpDependency: true
  invalidPackageJSON: true
  unresolvedRequire: true

You can disable issue by setting it's value to false. You can also enable alerts for any other issue that isn't enabled by default by setting the issue slug value to true in the issues map.


The githubApp is a map of settings that correspond to the Socket GitHub app. The contained settings are described below.


Default: true.

If you want the Socket GitHub app to never run on a repo and do not have org permissions to disable GitHub access to that repo, you can add a socket.yml file to your repo and set enabled to false.

Setting enabled to false will override other settings in the socket.yml associated with the GitHub app.


Default: true.

The pullRequestAlertsEnabled field can be used to individually disable pull request alerts check runs and pull request comments generated by the GitHub app.

The enabled field must be set to true for this field to have any effect.


Default: true.

The dependencyOverviewEnabled field can be used to individually disable dependency overview comments in pull requests.

The enabled and pullRequestAlertsEnabled field must be set to true for this field to have any effect.


Default: true.

The projectReportsEnabled field can be used to individually disable project reports check runs for commits from being generated.

The enabled field must be set to true for this field to have any effect.


Default: []

The ignoreUsers is an optional array of strings that let you specify GitHub usernames that will prevent Pull Request Alerts from running on Pull Requests that are opened by anyone specified in this array. This can be useful in merge queues or other bot related circumstances.

Version 1 to Version 2 migration

To migrate a Version 1 socket.yml to version 2, perform the following changes:

  • Add the top level version key set to the value 2
  • Rename the ignore key to projectIgnorePaths
  • Rename the issues key to issueRules
  • Move the enabled, projectReportsEnabled and pullRequestAlertsEnabled keys under a top level githubApp key.
  • Remove the beta key

Existing v1 configuration files will continue to work, however newly added settings may not be accessible until you migrate your configuration to version 2. Internal details on configuration parsing can be found in the SocketDev/socket-config-js repo.

What’s Next

Learn how to ignore specific pull request alerts in Socket for GitHub: