# Socket Documentation ## Guides - [Incremental Rollout](https://docs.socket.dev/docs/incremental-rollout.md) - [Known issues](https://docs.socket.dev/docs/known-issues.md): Known issues with the Socket product, and workarounds when available. - [Sample Malware Packages](https://docs.socket.dev/docs/sample-malware-packages.md) - [Tool Configuration Files](https://docs.socket.dev/docs/tool-configuration-files.md) - [Create Socket API Key for CI/CD](https://docs.socket.dev/docs/create-socket-api-key-for-cicd.md) - [Create Variable Group for ADO](https://docs.socket.dev/docs/create-variable-group-key-for-azure-devops.md) - [Socket for Azure DevOps (Yaml)](https://docs.socket.dev/docs/socket-for-azure-devops-yaml.md) - [Socket for Azure DevOps (ADO Classic)](https://docs.socket.dev/docs/socket-for-azure-devops.md) - [Socket for GitHub Actions](https://docs.socket.dev/docs/socket-for-github-actions.md) - [Socket for Jenkins Jobs](https://docs.socket.dev/docs/socket-for-jenkins-jobs.md) - [Socket for Bitbucket Pipeline](https://docs.socket.dev/docs/socket-in-your-bitbucket-pipeline.md) - [Socket for Gitlab Pipeline](https://docs.socket.dev/docs/socket-in-your-gitlab-pipeline.md) - [SCIM](https://docs.socket.dev/docs/scim.md): SCIM, or System for Cross-domain Identity Management allows for the automation of user provisioning for your Socket organization. - [SSO (Single Sign-On)](https://docs.socket.dev/docs/single-sign-on.md): Integrate Single Sign-On (SSO) with Socket to streamline login processes, enhance security, and simplify user management, now available for Enterprise plan customers with support for over 20 identity providers. - [Slack alerts](https://docs.socket.dev/docs/slack-alerts.md): Receive pull request alerts in your Slack server - [Vanta integration](https://docs.socket.dev/docs/vanta-integration.md): This guide explains how to integrate Socket with Vanta to enhance your organization’s security and compliance efforts. - [Webhooks](https://docs.socket.dev/docs/webhooks.md): How to setup and configure webhooks. - [FAQ](https://docs.socket.dev/docs/faq.md): Frequently Asked Questions - [Getting started](https://docs.socket.dev/docs/getting-started.md) - [Contact support](https://docs.socket.dev/docs/contact-support.md) - [Join the community](https://docs.socket.dev/docs/join-the-community.md) - [Alert Actions and Triage Functionality](https://docs.socket.dev/docs/alert-actions-and-triage-functionality.md) - [Alert Purpose Definitions](https://docs.socket.dev/docs/alert-purpose-definitions.md) - [Alert Types Support](https://docs.socket.dev/docs/issues-list.md): Which types of alerts are supported for which programming languages - [License](https://docs.socket.dev/docs/license.md) - [Maintenance](https://docs.socket.dev/docs/maintenance.md) - [Alert Categories](https://docs.socket.dev/docs/package-issues.md): How package issues are categorized by Socket - [Quality](https://docs.socket.dev/docs/quality.md) - [Supply Chain Risk](https://docs.socket.dev/docs/supply-chain-risk.md) - [Vulnerability](https://docs.socket.dev/docs/vulnerability.md) - [Anaconda setup instructions](https://docs.socket.dev/docs/anaconda-setup-instructions.md): Generating a `requirements.txt` from a Conda Environment for Socket Scanning - [Gradle setup instructions (for Java, Kotlin, and Scala)](https://docs.socket.dev/docs/gradle-setup-instructions-for-java-kotlin-and-scala.md) - [Ecosystem Support](https://docs.socket.dev/docs/language-support.md): Languages ecosystems, programming languages, package managers, and features that Socket supports. - [Kotlin setup instructions](https://docs.socket.dev/docs/kotlin-setup-instructions.md) - [Scala setup instructions](https://docs.socket.dev/docs/scala-setup-instructions.md) - [Manifest File Detection in Socket](https://docs.socket.dev/docs/manifest-file-detection-in-socket.md) - [Package Scores](https://docs.socket.dev/docs/package-scores.md) - [Dependency Reachability](https://docs.socket.dev/docs/dependency-reachability.md): Dependency Reachability filters out unreachable alerts by constructing a dependency graph. - [Full Application Reachability](https://docs.socket.dev/docs/full-application-reachability.md): Full application Reachability enhances the precomputed reachability by filtering out CVEs that affect functions never called in both the application source code and the dependency code. - [Reachability Analysis](https://docs.socket.dev/docs/reachability-analysis.md): Socket SCA with Reachability Analysis allows you to safely disregard unreachable vulnerabilities and easily patch the ones that matter. - [Phantom Dependencies](https://docs.socket.dev/docs/phantom-dependencies.md): Phantom dependencies are dependencies that are used in your code but are not explicitly declared in your manifest file (e.g., package.json, go.mod, etc.). - [Precomputed Reachability](https://docs.socket.dev/docs/precomputed-reachability.md): Precomputed reachability enhances dependency reachability by filtering out CVEs that affect functions never called within transitive dependencies. - [Reachability Results](https://docs.socket.dev/docs/reachability-results.md): Result categories for precomputed and full application reachability analyses - [Static Reachability Analysis](https://docs.socket.dev/docs/static-reachability-analysis.md): Socket’s reachability analysis is based on static analysis of both your application’s source code and its dependencies. - [Alert Actions](https://docs.socket.dev/docs/security-policy-defaults.md) - [Deploying via Google Workspace](https://docs.socket.dev/docs/deploying-socket-web-extension-via-google-workspace.md) - [Extension Permissions](https://docs.socket.dev/docs/socket-chrome-extension-permissions-documentation.md) - [Guide to Socket Chrome Extension](https://docs.socket.dev/docs/socket-security-chrome-extension.md) - [Supported Node.js Versions](https://docs.socket.dev/docs/cli-support.md) - [safe-npm FAQ](https://docs.socket.dev/docs/safe-npm-faq.md): Start protecting your NPM usage today! - [Socket CLI FAQ](https://docs.socket.dev/docs/socket-cli-faq.md) - [Guide to Socket CLI](https://docs.socket.dev/docs/socket-cli.md): Introduction to Socket CLI - [v1 Migration guide](https://docs.socket.dev/docs/v1-migration-guide.md) - [socket.json](https://docs.socket.dev/docs/socketjson.md): A file containing local project settings to be used by the CLI - [socket analytics](https://docs.socket.dev/docs/socket-analytics.md): Get analytics data at the organization and repository level - [socket audit-log](https://docs.socket.dev/docs/socket-audit-log.md): Look up the audit log for an organization - [socket manifest cdxgen](https://docs.socket.dev/docs/socket-cdxgen.md): Generate an SBOM of target directory using CycloneDX - [socket ci](https://docs.socket.dev/docs/socket-ci.md): Get feedback on state of the code health in an automated environment - [socket fix](https://docs.socket.dev/docs/socket-fix.md): Update dependencies with fixable Socket alerts - [socket login](https://docs.socket.dev/docs/socket-login.md): Socket API login - [socket logout](https://docs.socket.dev/docs/socket-logout.md): Socket API logout - [socket manifest](https://docs.socket.dev/docs/socket-manifest.md): Generate local manifests for certain languages - [socket npm & socket npx](https://docs.socket.dev/docs/socket-npm-socket-npx.md): System global package manager integration for npm - [socket optimize](https://docs.socket.dev/docs/socket-optimize.md): Optimize dependencies with @socketregistry overrides - [socket organization](https://docs.socket.dev/docs/socket-organizations.md): List organizations associated with the API key used - [socket package](https://docs.socket.dev/docs/socket-package.md): Get score and other details on software packages - [socket raw-npm](https://docs.socket.dev/docs/socket-raw-npm.md): Temporarily disable the Socket npm wrapper - [socket raw-npx](https://docs.socket.dev/docs/socket-raw-npx.md): Temporarily disable the Socket npm/npx wrapper - [socket repository](https://docs.socket.dev/docs/socket-repo.md): Repositories related commands - [socket scan github](https://docs.socket.dev/docs/socket-scan-github.md): Additional options to create Socket scans for Github repos - [socket scan](https://docs.socket.dev/docs/socket-scan.md): Scans related commands - [socket threat-feed](https://docs.socket.dev/docs/socket-threat-feed.md): Look up the Socket threat feed - [socket wrapper](https://docs.socket.dev/docs/socket-wrapper.md): Enable or disable the Socket npm/npx wrapper - [Dependency Search](https://docs.socket.dev/docs/dependency-search.md) - [License Policy](https://docs.socket.dev/docs/license-policy.md) - [Organization Alerts](https://docs.socket.dev/docs/organization-alerts.md) - [Package Search](https://docs.socket.dev/docs/package-search.md) - [Repositories](https://docs.socket.dev/docs/repositories-1.md) - [Scans](https://docs.socket.dev/docs/scans.md) - [Customizable Security Policies](https://docs.socket.dev/docs/enabled-issues.md) - [Security Policy (Default Enabled Alerts)](https://docs.socket.dev/docs/security-policy-default-enabled-alerts.md): These are the default set of Enabled Alerts - [API Tokens](https://docs.socket.dev/docs/api-keys.md) - [Audit Log](https://docs.socket.dev/docs/audit-log.md) - [Threat Feed](https://docs.socket.dev/docs/threat-feed.md) - [Users](https://docs.socket.dev/docs/users.md) - [Enterprise Configuration](https://docs.socket.dev/docs/socket-firewall-enterprise-configuration.md) - [Generating Keys for Proxy Service](https://docs.socket.dev/docs/socket-firewall-enterprise-generating-keys.md) - [Enterprise Proxy Client Setup](https://docs.socket.dev/docs/socket-firewall-enterprise-proxy-client-setup.md) - [Enterprise Proxy Service Setup](https://docs.socket.dev/docs/socket-firewall-enterprise-proxy-service-setup.md) - [Enterprise Wrapper Mode](https://docs.socket.dev/docs/socket-firewall-enterprise-wrapper-mode.md) - [Socket Firewall Enterprise](https://docs.socket.dev/docs/socket-firewall-enterprise.md) - [Socket Firewall Free](https://docs.socket.dev/docs/socket-firewall-free.md) - [Socket Firewall Overview](https://docs.socket.dev/docs/socket-firewall-overview.md) - [Enable branch protection](https://docs.socket.dev/docs/enable-branch-protection.md): How to enable branch protection to make Socket a required GitHub check. - [Ignoring pull request alerts](https://docs.socket.dev/docs/ignoring-pull-request-alerts.md): Bot commands for the GitHub App - [GitHub App Permissions](https://docs.socket.dev/docs/permissions.md): What permissions does Socket for GitHub require? - [Install the App](https://docs.socket.dev/docs/socket-for-github-installation.md) - [Guide to Socket for GitHub](https://docs.socket.dev/docs/socket-for-github.md) - [socket.yml](https://docs.socket.dev/docs/socket-yml.md): Optional Socket GitHub App configuration file - [Understanding "Act on Your Behalf" Permission](https://docs.socket.dev/docs/understanding-act-on-your-behalf-permission.md) - [What to do when you receive an alert](https://docs.socket.dev/docs/what-to-do-with-socket-alerts.md): What should a developer do when they receive a Socket Alert on their pull request? - [Guide to Socket for VS Code](https://docs.socket.dev/docs/socket-for-vs-code.md) - [Guide to Socket MCP](https://docs.socket.dev/docs/guide-to-socket-mcp.md) - [Local Socket MCP](https://docs.socket.dev/docs/local-socket-mcp.md) - [Remote Socket MCP](https://docs.socket.dev/docs/remote-socket-mcp.md) - [Socket MCP for Claude Desktop](https://docs.socket.dev/docs/socket-mcp-for-claude-desktop.md) - [Socket JavaScript SDK](https://docs.socket.dev/docs/socket-javascript-sdk.md) - [Socket Python SDK](https://docs.socket.dev/docs/socket-python-sdk.md) ## API Reference - [List full scans associated with alert (Beta)](https://docs.socket.dev/reference/alertfullscans.md): List full scans associated with alert. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - alerts:list - [List latest alerts (Beta)](https://docs.socket.dev/reference/alertslist.md): List latest alerts. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - alerts:list - [List historical alerts (Beta)](https://docs.socket.dev/reference/historicalalertslist.md): List historical alerts. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - historical:alerts-list - [Trend of historical alerts (Beta)](https://docs.socket.dev/reference/historicalalertstrend.md): Trend analytics of historical alerts. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - historical:alerts-trend - [List API Tokens](https://docs.socket.dev/reference/getapitokens.md): List all API Tokens. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - api-tokens:list - [List organizations](https://docs.socket.dev/reference/getorganizations.md): Get information on the current organizations associated with the API token. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Get quota](https://docs.socket.dev/reference/getquota.md): Get your current API quota. You can use this endpoint to prevent doing requests that might spend all your quota. This endpoint consumes 0 units of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Create API Token](https://docs.socket.dev/reference/postapitoken.md): Create an API Token. The API Token created must use a subset of permissions the API token creating them. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - api-tokens:create - [Revoke API Token](https://docs.socket.dev/reference/postapitokensrevoke.md): Revoke an API Token This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - api-tokens:revoke - [Rotate API Token](https://docs.socket.dev/reference/postapitokensrotate.md): Rotate an API Token This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - api-tokens:rotate - [Update API Token](https://docs.socket.dev/reference/postapitokenupdate.md): Update an API Token. The API Token created must use a subset of permissions the API token creating them. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - api-tokens:create - [Get Audit Log Events](https://docs.socket.dev/reference/getauditlogevents.md): Paginated list of audit log events. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - audit-log:list - [Authentication](https://docs.socket.dev/reference/authentication.md): This page will explain how Socket API authentication works - [Creating and Managing API Tokens](https://docs.socket.dev/reference/creating-and-managing-api-tokens.md) - [Trend of historical dependencies (Beta)](https://docs.socket.dev/reference/historicaldependenciestrend.md): Trend analytics of historical dependencies. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - historical:dependencies-trend - [Search dependencies](https://docs.socket.dev/reference/searchdependencies.md): Search for any dependency that is being used in your organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Create a snapshot of all dependencies from manifest information](https://docs.socket.dev/reference/createdependenciessnapshot.md): **This endpoint is deprecated.** Upload a set of manifest or lockfiles to get your dependency tree analyzed by Socket. You can upload multiple lockfiles in the same request, but each filename must be unique. The name of the file must be in the supported list. For example, these are valid filenames: "requirements.txt", "package.json", "folder/package.json", and "deep/nested/folder/package.json". This endpoint consumes 100 units of your quota. This endpoint requires the following org token scopes: - report:write - [Create a report](https://docs.socket.dev/reference/createreport.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/createorgfullscan) instead. Deprecated: Use `/orgs/{org_slug}/full-scans` instead. Upload a lockfile to get your project analyzed by Socket. You can upload multiple lockfiles in the same request, but each filename must be unique. The name of the file must be in the supported list. For example, these are valid filenames: `package.json`, `folder/package.json` and `deep/nested/folder/package.json`. This endpoint consumes 100 units of your quota. This endpoint requires the following org token scopes: - report:write - [Delete a report](https://docs.socket.dev/reference/deletereport.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference) instead. Deprecated: Use `/orgs/{org_slug}/full-scans` instead. Delete a specific project report generated with the GitHub app. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - report:write - [Get issues by package](https://docs.socket.dev/reference/getissuesbynpmpackage.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference) instead. Get all the issues related with a particular npm package version. This endpoint returns the issue type, location, and additional details related to each issue in the `props` attribute. You can [see here](https://socket.dev/alerts) the full list of issues. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Get organization analytics (unstable)](https://docs.socket.dev/reference/getorganalytics.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/historicalalertstrend) instead. Please implement against the [Historical dependencies](/reference/historicaldependenciestrend) or [Historical alerts](/reference/historicalalertstrend) endpoints. Get analytics data regarding the number of alerts found across all active repositories. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - report:write - [Diff Full Scans](https://docs.socket.dev/reference/getorgdiffscan.md): **This endpoint is deprecated.** Get the difference between two existing Full Scans. The results are not persisted. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:list - [SCM Comment for Scan Diff](https://docs.socket.dev/reference/getorgfullscandiffgfm.md): **This endpoint is deprecated.** Get the dependency overview and dependency alert comments in GitHub flavored markdown between the diff between two existing full scans. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:list - [Get Organization License Policy](https://docs.socket.dev/reference/getorglicensepolicy.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/viewlicensepolicy) instead. Retrieve the license policy of an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - license-policy:read - [Get repository analytics](https://docs.socket.dev/reference/getrepoanalytics.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/historicalalertstrend) instead. Please implement against the [Historical dependencies](/reference/historicaldependenciestrend) or [Historical alerts](/reference/historicalalertstrend) endpoints. Get analytics data regarding the number of alerts found in a single repository. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - report:write - [List GitHub repositories](https://docs.socket.dev/reference/getrepolist.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/getorgrepolist) instead. Deprecated: Use `/orgs/{org_slug}/repos` instead. Get all GitHub repositories associated with a Socket org. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:list - [View a report](https://docs.socket.dev/reference/getreport.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/getorgfullscan) instead. Deprecated: Use `/orgs/{org_slug}/full-scans` instead. Get all the issues, packages, and scores related to an specific project report. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - report:read - [Get list of reports](https://docs.socket.dev/reference/getreportlist.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference) instead. Deprecated: Use `/orgs/{org_slug}/full-scans` instead. Get all your project reports generated with the GitHub app. This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - report:list - [Get supported files for report](https://docs.socket.dev/reference/getreportsupportedfiles.md): **This endpoint is deprecated.** Deprecated since 2023-01-15. Use the [successor version](https://docs.socket.dev/reference/getsupportedfiles) instead. This route has been moved to the `orgs/{org_slug}/supported-files` endpoint. Get a list of supported files for project report generation. Files are categorized first by environment (e.g. NPM or PyPI), then by name. Files whose names match the patterns returned by this endpoint can be uploaded for report generation. Examples of supported filenames include `package.json`, `package-lock.json`, and `yarn.lock`. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - [Get score by package](https://docs.socket.dev/reference/getscorebynpmpackage.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/batchpackagefetch) instead. Get all the scores and metrics by category that are used to evaluate the package version. - depscore: The average of all score factors. (0-1) - supplyChainRisk: Score factors relating to supply chain security (0-1) - downloadCount: The number of downloads for the package. Higher downloads contribute to a higher score. - supplyChainRiskIssueLow/Mid/High/Critical: The number of supply chain risk issues of varying severity. Lower numbers contribute to a higher score. - dependencyCount: The number of production dependencies. Lower count contributes to a higher score. - devDependencyCount: The number of development dependencies. Lower count contributes to a higher score. - transitiveDependencyCount: The number of transitive dependencies. Lower count contributes to a higher score. - totalDependencyCount: The total number of dependencies (production + development + transitive). Lower count contributes to a higher score. - quality: Score factors relating to code quality (0-1) - qualityIssueLow/Mid/High/Critical: The number of code quality issues of varying severity. Lower numbers contribute to a higher score. - linesOfCode: The number of lines of code in the package. Lower count contributes to a higher score. - readmeLength: The length of the package's README file. Longer READMEs contribute to a higher score. - maintenance: Score factors relating to package maintenance (0-1) - maintainerCount: The number of maintainers for the package. More maintainers contribute to a higher score. - versionsLastWeek/Month/TwoMonths/Year: The number of versions released in different time periods. More recent releases contribute to a higher score. - versionCount: The total number of versions released. Higher count contributes to a higher score. - maintenanceIssueLow/Mid/High/Critical: The number of maintenance issues of varying severity. Lower numbers contribute to a higher score. - vulnerability: Score factors relating to package vulnerabilities (0-1) - vulnerabilityIssueLow/Mid/High/Critical: The number of vulnerability issues of varying severity. Lower numbers contribute to a higher score. - dependencyVulnerabilityCount: The number of vulnerabilities in the package's dependencies. Lower count contributes to a higher score. - vulnerabilityCount: The number of vulnerabilities in the package itself. Lower count contributes to a higher score. - license: Score factors relating to package licensing (0-1) - licenseIssueLow/Mid/High/Critical: The number of license issues of varying severity. Lower numbers contribute to a higher score. - licenseQuality: A score indicating the quality/permissiveness of the package's license. Higher quality contributes to a higher score. - miscellaneous: Miscellaneous metadata about the package version. - versionAuthorName/Email: The name and email of the version author. - fileCount: The number of files in the package. - byteCount: The total size in bytes of the package. - typeModule: Whether the package declares a "type": "module" field. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Calculate settings](https://docs.socket.dev/reference/postsettings.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/updateorgsecuritypolicy) instead. Get current settings for the requested organizations and default settings to allow deferrals. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Saturate License Policy (Legacy)](https://docs.socket.dev/reference/saturatelicensepolicy.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/updateorglicensepolicy) instead. Get the "saturated" version of a license policy's allow list, filling in the entire set of allowed license data. For example, the saturated form of a license allow list which only specifies that licenses in the tier "maximal copyleft" are allowed is shown below (note the expanded `allowedStrings` property): ```json { "allowedApprovalSources": [], "allowedFamilies": [], "allowedTiers": [ "maximal copyleft" ], "allowedStrings": [ "Parity-6.0.0", "QPL-1.0-INRIA-2004", "QPL-1.0", "RPL-1.1", "RPL-1.5" ], "allowedPURLs": [], "focusAlertsHere": false } ``` This may be helpful for users who want to compose more complex sets of allowed license data via the "allowedStrings" property, or for users who want to know more about the contents of a particular license group (family, tier, or approval source). ## Allow List Schema ```json ``` where PermissiveTier ::= "model permissive" | "gold" | "silver" | "bronze" | "lead" CopyleftTier ::= "maximal copyleft" | "network copyleft" | "strong copyleft" | "weak copyleft" ## Return Value The returned value has the same shape as a license allow list: ```json { allowedApprovalSources?: Array<"fsf" | "osi">, allowedFamilies?: Array<"copyleft" | "permissive">, allowedTiers?: Array, allowedStrings?: Array allowedPURLs?: Array focusAlertsHere?: boolean } ``` where PermissiveTier ::= "model permissive" | "gold" | "silver" | "bronze" | "lead" CopyleftTier ::= "maximal copyleft" | "network copyleft" | "strong copyleft" | "weak copyleft" readers can learn more about [copyleft tiers](https://blueoakcouncil.org/copyleft) and [permissive tiers](https://blueoakcouncil.org/list) by reading the linked resources. ### Example request bodies: ```json { "allowedApprovalSources": ["fsf"], "allowedPURLs": [], "allowedFamilies": ["copyleft"], "allowedTiers": ["model permissive"], "allowedStrings": ["License :: OSI Approved :: BSD License"], "focusAlertsHere": false } ``` This endpoint consumes 100 units of your quota. This endpoint requires the following org token scopes: - packages:list - [Create diff scan from full scan IDs](https://docs.socket.dev/reference/createorgdiffscanfromids.md): Create a diff scan from two existing full scan IDs. The full scans must be in the same repository. Returns metadata about the diff scan. Once the diff scan is created, fetch the diff scan from the [api_url](/reference/getDiffScanById) URL to get the contents of the diff. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - diff-scans:create - full-scans:list - [Create diff scan from repository HEAD full-scan](https://docs.socket.dev/reference/createorgrepodiff.md): Create a diff scan between the repository's current HEAD full scan and a new full scan from uploaded manifest files. Returns metadata about the diff scan. Once the diff scan is created, fetch the diff scan from the [api_url](/reference/getDiffScanById) URL to get the contents of the diff. The maximum number of files you can upload at a time is 5000 and each file can be no bigger than 268 MB. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:list - diff-scans:create - full-scans:create - [Delete diff scan](https://docs.socket.dev/reference/deleteorgdiffscan.md): Delete an existing diff scan. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - diff-scans:delete - [Get diff scan](https://docs.socket.dev/reference/getdiffscanbyid.md): Get the difference between two full scans from an existing diff scan resource. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - diff-scans:list - [SCM Comment for Diff Scan](https://docs.socket.dev/reference/getdiffscangfm.md): Get the dependency overview and dependency alert comments in GitHub flavored markdown for an existing diff scan. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - diff-scans:list - [List diff scans](https://docs.socket.dev/reference/listorgdiffscans.md): Returns a paginated list of all diff scans in an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - diff-scans:list - [Fetch fixes for vulnerabilities in a repository or scan](https://docs.socket.dev/reference/fetch-fixes.md): Fetches available fixes for vulnerabilities in a repository or scan. Requires either repo_slug or full_scan_id as well as vulnerability_ids to be provided. vulnerability_ids can be a comma-separated list of GHSA or CVE IDs, or "*" for all vulnerabilities. ## Response Structure The response contains a `fixDetails` object where each key is a vulnerability ID (GHSA or CVE) and the value is a discriminated union based on the `type` field. ### Common Fields All response variants include: - `type`: Discriminator field (one of: "fixFound", "partialFixFound", "noFixAvailable", "fixNotApplicable", "errorComputingFix") - `value`: Object containing the variant-specific data The `value` object always contains: - `ghsa`: string | null - The GHSA ID - `cve`: string | null - The CVE ID (if available) - `advisoryDetails`: object | null - Advisory details (only if include_details=true) ### Response Variants **fixFound**: A complete fix is available for all vulnerable packages - `value.fixDetails.fixes`: Array of fix objects, each containing: - `purl`: Package URL to upgrade - `fixedVersion`: Version to upgrade to - `manifestFiles`: Array of manifest files containing the package - `updateType`: "patch" | "minor" | "major" | "unknown" - `value.fixDetails.responsibleDirectDependencies`: (optional) Map of direct dependencies responsible for the vulnerability **partialFixFound**: Fixes available for some but not all vulnerable packages - Same as fixFound, plus: - `value.fixDetails.unfixablePurls`: Array of packages that cannot be fixed, each containing: - `purl`: Package URL - `manifestFiles`: Array of manifest files **noFixAvailable**: No fix exists for this vulnerability (no patched version published) **fixNotApplicable**: A fix exists but cannot be applied due to version constraints - `value.vulnerableArtifacts`: Array of vulnerable packages with their manifest files **errorComputingFix**: An error occurred while computing fixes - `value.message`: Error description ### Advisory Details (when include_details=true) - `title`: string | null - `description`: string | null - `cwes`: string[] - CWE identifiers - `severity`: "LOW" | "MODERATE" | "HIGH" | "CRITICAL" - `cvssVector`: string | null - `publishedAt`: string (ISO date) - `kev`: boolean - Whether it's a Known Exploited Vulnerability - `epss`: number | null - Exploit Prediction Scoring System score - `affectedPurls`: Array of affected packages with version ranges This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - fixes:list - [Create full scan](https://docs.socket.dev/reference/createorgfullscan.md): Create a full scan from a set of package manifest files. Returns a full scan including all SBOM artifacts. To get a list of supported filetypes that can be uploaded in a full-scan, see the [Get supported file types](/reference/getsupportedfiles) endpoint. The maximum number of files you can upload at a time is 5000 and each file can be no bigger than 268 MB. **Query Parameters:** - `scan_type` (optional): The type of scan to perform. Defaults to 'socket'. Must be 32 characters or less. Used for categorizing multiple SBOM heads per repository branch. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:create - [Create full scan from archive](https://docs.socket.dev/reference/createorgfullscanarchive.md): Create a full scan by uploading one or more archives. Supported archive formats include **.tar**, **.tar.gz/.tgz**, and **.zip**. Each uploaded archive is extracted server-side and any supported manifest files (like package.json, package-lock.json, pnpm-lock.yaml, etc.) are ingested for the scan. If you upload multiple archives in a single request, the manifests from every archive are merged into one full scan. The response includes any files that were ignored. The maximum combined number of files extracted from your upload is 5000 and each extracted file can be no bigger than 268 MB. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:create - [Delete full scan](https://docs.socket.dev/reference/deleteorgfullscan.md): Delete an existing full scan. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:delete - [Download full scan files as tarball](https://docs.socket.dev/reference/downloadorgfullscanfilesastar.md): Download all files associated with a full scan in tar format. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:list - [Export CycloneDX SBOM (Beta)](https://docs.socket.dev/reference/exportcdx.md): Export a Socket SBOM as a CycloneDX SBOM Supported ecosystems: - crates - go - maven - npm - nuget - pypi - rubygems - spdx - cdx Unsupported ecosystems are filtered from the export. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - report:read - [Export OpenVEX Document (Beta)](https://docs.socket.dev/reference/exportopenvex.md): Export vulnerability exploitability data as an OpenVEX v0.2.0 document. OpenVEX (Vulnerability Exploitability eXchange) documents communicate the exploitability status of vulnerabilities in software products. This export includes: - **Patch data**: Vulnerabilities fixed by applied Socket patches are marked as "fixed" - **Reachability analysis**: Code reachability determines if vulnerable code is exploitable: - Unreachable code → "not_affected" with justification - Reachable code → "affected" - Unknown/pending → "under_investigation" Each statement in the document represents a single artifact-vulnerability pair for granular reachability information. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - report:read - [Export SPDX SBOM (Beta)](https://docs.socket.dev/reference/exportspdx.md): Export a Socket SBOM as a SPDX SBOM Supported ecosystems: - crates - go - maven - npm - nuget - pypi - rubygems - spdx - cdx Unsupported ecosystems are filtered from the export. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - report:read - [Stream full scan](https://docs.socket.dev/reference/getorgfullscan.md): Stream all SBOM artifacts for a full scan. This endpoint returns the latest, available alert data for artifacts in the full scan (stale while revalidate). Actively running analysis will be returned when available on subsequent runs. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:list - [List full scans](https://docs.socket.dev/reference/getorgfullscanlist.md): Returns a paginated list of all full scans in an org, excluding SBOM artifacts. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:list - [Get full scan metadata](https://docs.socket.dev/reference/getorgfullscanmetadata.md): Get metadata for a single full scan This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:list - [Get supported file types](https://docs.socket.dev/reference/getsupportedfiles.md): Get a list of supported files for full scan generation. Files are categorized first by environment (e.g. NPM or PyPI), then by name. Files whose names match the patterns returned by this endpoint can be uploaded for report generation. Examples of supported filenames include `package.json`, `package-lock.json`, and `yarn.lock`. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - No Scopes Required, but authentication is required - [Rescan full scan](https://docs.socket.dev/reference/rescanorgfullscan.md): Create a new full scan by rescanning an existing scan. A "shallow" rescan reapplies the latest policies to the previously cached dependency resolution results. A "deep" rescan reruns dependency resolution and applies the latest policies to the results. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - full-scans:create - [Historical Data Endpoints](https://docs.socket.dev/reference/historical-data-endpoints.md): Historical data endpoints provide access to historical data that is collected via periodic snapshots and other events - [License Policy (Beta)](https://docs.socket.dev/reference/licensepolicy.md): Compare the license data found for a list of packages (given as PURL strings) with the contents of a configurable license policy, returning information about license data which does not comply with the license allow list. ## Example request body: ```json { "components": [ { "purl": "pkg:npm/lodash@4.17.21" }, { "purl": "pkg:npm/lodash@4.14.1" } ], "allow": [ "permissive", "pkg:npm/lodash?file_name=foo/test/*&version_glob=4.17.*" ], "warn": [ "copyleft", "pkg:npm/lodash?file_name=foo/prod/*&version_glob=4.14.*" ], "options": ["toplevelOnly"] } ``` ## Return value For each requested PURL, an array is returned. Each array contains a list of license policy violations detected for the requested PURL. Violations are accompanied by a string identifying the offending license data as `spdxAtomOrExtraData`, a message describing why the license data is believed to be incompatible with the license policy, and a list of locations (by filepath or other provenance information) where the offending license data may be found. ```json Array< Array<{ filepathOrProvenance: Array, level: "warning" | "violation", purl: string, spdxAtomOrExtraData: string, violationExplanation: string }> > ``` ## License policy schema ```json { allow?: Array warn?: Array options?: Array } ``` Elements of the `allow` and `warn` arrays strings representing items which should be allowed, or which should trigger a warning; license data found in package which not present in either array will produce a license violation (effectively a "hard" error). For example, to allow Apache-2.0 and MIT to the allow list, simply add the strings "Apache-2.0" and "MIT" to the `allow` array. Strings appearing in these arrays are generally "what you see is what you get", with two important exceptions: strings which are recognized as license classes and strings which are recognized as PURLs are handled differently to allow for more flexible license policy creation. ## License Classes Strings which are license classes will expand to a list of licenses known to be in that particular license class. Recognized license classes are: 'permissive', 'permissive (model)', 'permissive (gold)', 'permissive (silver)', 'permissive (bronze)', 'permissive (lead)', 'copyleft', 'maximal copyleft', 'network copyleft', 'strong copyleft', 'weak copyleft', 'contributor license agreement', 'public domain', 'proprietary free', 'source available', 'proprietary', 'commercial', 'patent' Users can learn more about [copyleft tiers](https://blueoakcouncil.org/copyleft) and [permissive tiers](https://blueoakcouncil.org/list) by reading the linked resources. ## PURLs Users may also modify their license policy's allow and warn lists by using [package URLs](https://github.com/package-url/purl-spec) (aka PURLs), which support glob patterns to allow a range of versions, files and directories, etc. purl qualifiers which support globs are `filename`, `version_glob`, `artifact_id` and `license_provenance` (primarily used for allowing data from registry metadata). ### Examples: Allow all license data found in a specific version of a package 4.14.1: `pkg:npm/lodash@4.14.1` Allow all license data found in a version range of a package: `pkg:npm/lodash?version_glob=15.*` Allow all license data in the test directory of a given package for certain version ranges: `pkg:npm/lodash@15.*.*?file_name=lodash/test/*` Allow all license data taken from the package registry for a package and version range: `pkg:npm/lodash?version_glob=*&license_provenance=registry_metadata` ## Available options `toplevelOnly`: only apply the license policy to "top level" license data in a package, which includes registry metadata, LICENSE files, and manifest files which are closest to the root of the package. `applyToUnidentified`: Apply license policy to found but unidentified license data. If enabled, the license policy will be applied to license data which could not be affirmatively identified as a known license (this will effectively merge the license policy violation and unidentified license alerts). If disabled, license policy alerts will only be shown for license data which is positively identified as something not allowed or set to warn by the license policy. This endpoint consumes 100 units of your quota. This endpoint requires the following org token scopes: - packages:list - license-policy:read - [Update License Policy](https://docs.socket.dev/reference/updateorglicensepolicy.md): Set the organization's license policy ## License policy schema ```json { allow?: Array warn?: Array options?: Array } ``` Elements of the `allow` and `warn` arrays strings representing items which should be allowed, or which should trigger a warning; license data found in package which not present in either array will produce a license violation (effectively a "hard" error). For example, to allow Apache-2.0 and MIT to the allow list, simply add the strings "Apache-2.0" and "MIT" to the `allow` array. Strings appearing in these arrays are generally "what you see is what you get", with two important exceptions: strings which are recognized as license classes and strings which are recognized as PURLs are handled differently to allow for more flexible license policy creation. ## License Classes Strings which are license classes will expand to a list of licenses known to be in that particular license class. Recognized license classes are: 'permissive', 'permissive (model)', 'permissive (gold)', 'permissive (silver)', 'permissive (bronze)', 'permissive (lead)', 'copyleft', 'maximal copyleft', 'network copyleft', 'strong copyleft', 'weak copyleft', 'contributor license agreement', 'public domain', 'proprietary free', 'source available', 'proprietary', 'commercial', 'patent' Users can learn more about [copyleft tiers](https://blueoakcouncil.org/copyleft) and [permissive tiers](https://blueoakcouncil.org/list) by reading the linked resources. ## PURLs Users may also modify their license policy's allow and warn lists by using [package URLs](https://github.com/package-url/purl-spec) (aka PURLs), which support glob patterns to allow a range of versions, files and directories, etc. purl qualifiers which support globs are `filename`, `version_glob`, `artifact_id` and `license_provenance` (primarily used for allowing data from registry metadata). ### Examples: Allow all license data found in a specific version of a package 4.14.1: `pkg:npm/lodash@4.14.1` Allow all license data found in a version range of a package: `pkg:npm/lodash?version_glob=15.*` Allow all license data in the test directory of a given package for certain version ranges: `pkg:npm/lodash@15.*.*?file_name=lodash/test/*` Allow all license data taken from the package registry for a package and version range: `pkg:npm/lodash?version_glob=*&license_provenance=registry_metadata` ## Available options `toplevelOnly`: only apply the license policy to "top level" license data in a package, which includes registry metadata, LICENSE files, and manifest files which are closest to the root of the package. `applyToUnidentified`: Apply license policy to found but unidentified license data. If enabled, the license policy will be applied to license data which could not be affirmatively identified as a known license (this will effectively merge the license policy violation and unidentified license alerts). If disabled, license policy alerts will only be shown for license data which is positively identified as something not allowed or set to warn by the license policy. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - license-policy:update - [Get License Policy (Beta)](https://docs.socket.dev/reference/viewlicensepolicy.md): Returns an organization's license policy including allow, warn, monitor, and deny categories. The deny category contains all licenses that are not explicitly categorized as allow, warn, or monitor. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - license-policy:read - [Alert Types Metadata](https://docs.socket.dev/reference/alerttypes.md): For an array of alert type identifiers, returns metadata for each alert type. Optionally, specify a language via the 'language' query parameter. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - [Returns the OpenAPI definition](https://docs.socket.dev/reference/getopenapi.md): Retrieve the API specification in an Openapi JSON format. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - [Returns the OpenAPI definition](https://docs.socket.dev/reference/getopenapijson.md): Retrieve the API specification in an Openapi JSON format. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - [License Metadata](https://docs.socket.dev/reference/licensemetadata.md): For an array of license identifiers or names (short form SPDX identifiers, or long form license names), returns an array of metadata for the corresponding license, if the license is recognized. If the query parameter `includetext=true` is set, the returned metadata will also include the license text. ## Example request body: ```json [ "Apache-2.0", "BSD Zero Clause License" ] ``` ## Return value ```json // Response schema: Array<{ licenseId: string, name?: string, deprecated?: string, crossref?: string classes: Array text?: string }> // Example response: [ { "licenseId": "Apache-2.0", "name": "Apache License 2.0", "deprecated": false, "crossref": "https://spdx.org/licenses/Apache-2.0.html", "classes": [ "fsf libre", "osi approved", "permissive (silver)" ] }, { "licenseId": "0BSD", "name": "BSD Zero Clause License", "deprecated": false, "crossref": "https://spdx.org/licenses/0BSD.html", "classes": [ "osi approved", "permissive (bronze)" ] } ] ``` ## License policy schema ```json { allow?: Array warn?: Array options?: Array } ``` Elements of the `allow` and `warn` arrays strings representing items which should be allowed, or which should trigger a warning; license data found in package which not present in either array will produce a license violation (effectively a "hard" error). For example, to allow Apache-2.0 and MIT to the allow list, simply add the strings "Apache-2.0" and "MIT" to the `allow` array. Strings appearing in these arrays are generally "what you see is what you get", with two important exceptions: strings which are recognized as license classes and strings which are recognized as PURLs are handled differently to allow for more flexible license policy creation. ## License Classes Strings which are license classes will expand to a list of licenses known to be in that particular license class. Recognized license classes are: 'permissive', 'permissive (model)', 'permissive (gold)', 'permissive (silver)', 'permissive (bronze)', 'permissive (lead)', 'copyleft', 'maximal copyleft', 'network copyleft', 'strong copyleft', 'weak copyleft', 'contributor license agreement', 'public domain', 'proprietary free', 'source available', 'proprietary', 'commercial', 'patent' Users can learn more about [copyleft tiers](https://blueoakcouncil.org/copyleft) and [permissive tiers](https://blueoakcouncil.org/list) by reading the linked resources. ## PURLs Users may also modify their license policy's allow and warn lists by using [package URLs](https://github.com/package-url/purl-spec) (aka PURLs), which support glob patterns to allow a range of versions, files and directories, etc. purl qualifiers which support globs are `filename`, `version_glob`, `artifact_id` and `license_provenance` (primarily used for allowing data from registry metadata). ### Examples: Allow all license data found in a specific version of a package 4.14.1: `pkg:npm/lodash@4.14.1` Allow all license data found in a version range of a package: `pkg:npm/lodash?version_glob=15.*` Allow all license data in the test directory of a given package for certain version ranges: `pkg:npm/lodash@15.*.*?file_name=lodash/test/*` Allow all license data taken from the package registry for a package and version range: `pkg:npm/lodash?version_glob=*&license_provenance=registry_metadata` ## Available options `toplevelOnly`: only apply the license policy to "top level" license data in a package, which includes registry metadata, LICENSE files, and manifest files which are closest to the root of the package. `applyToUnidentified`: Apply license policy to found but unidentified license data. If enabled, the license policy will be applied to license data which could not be affirmatively identified as a known license (this will effectively merge the license policy violation and unidentified license alerts). If disabled, license policy alerts will only be shown for license data which is positively identified as something not allowed or set to warn by the license policy. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - [Get integration events](https://docs.socket.dev/reference/getintegrationevents.md): This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - integration:list - [Get Socket Basics configuration, including toggles for the various tools it supports.](https://docs.socket.dev/reference/getsocketbasicsconfig.md): Socket Basics is a CI/CD security scanning suite that runs on your source code, designed to complement Socket SCA and provide full coverage. - **SAST** - Find issues and risks with your code via static analysis using best in class Open Source tools - **Secret Scanning** - Detected potentially leaked secrets and credentials within your code - **Container Security** - Docker image and Dockerfile vulnerability scanning This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - socket-basics:read - [List details of periodic historical data snapshots (Beta)](https://docs.socket.dev/reference/historicalsnapshotslist.md): This API endpoint is used to list the details of historical snapshots. Snapshots of organization data are taken periodically, and each historical snapshot record contains high-level overview metrics about the data that was collected. Other [Historical Data Endpoints](/reference/historical-data-endpoints) can be used to fetch the raw data associated with each snapshot. Historical snapshots contain details and raw data for the following resources: - Repositories - Alerts - Dependencies - Artifacts - Users - Settings Daily snapshot data is bucketed to the nearest day which is described in more detail at: [Historical Data Endpoints](/reference/historical-data-endpoints) This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - historical:snapshots-list - [Start historical data snapshot job (Beta)](https://docs.socket.dev/reference/historicalsnapshotsstart.md): This API endpoint is used to start a historical snapshot job. While snapshots are typically taken at least once a day, this endpoint can be used to start an "on demand" snapshot job to ensure the latest data is collected and stored for historical purposes. An historical snapshot will contain details and raw data for the following resources: - Repositories - Alerts - Dependencies - Artifacts - Users - Settings Historical snapshot data is bucketed to the nearest day which is described in more detail at: [Historical Data Endpoints](/reference/historical-data-endpoints) This endpoint consumes 10 units of your quota. This endpoint requires the following org token scopes: - historical:snapshots-start - [Get Packages by PURL](https://docs.socket.dev/reference/batchpackagefetch.md): **This endpoint is deprecated.** Deprecated since 2026-01-05. It will be removed on 2026-07-30. Batch retrieval of package metadata and alerts by PURL strings. Compatible with CycloneDX reports. Package URLs (PURLs) are an ecosystem agnostic way to identify packages. CycloneDX SBOMs use the purl format to identify components. This endpoint supports fetching metadata and alerts for multiple packages at once by passing an array of purl strings, or by passing an entire CycloneDX report. **Note:** This endpoint has a batch size limit (default: 1024 PURLs per request). Requests exceeding this limit will return a 400 Bad Request error. More information on purl and CycloneDX: - [`purl` Spec](https://github.com/package-url/purl-spec) - [CycloneDX Spec](https://cyclonedx.org/specification/overview/#components) This endpoint returns the latest available alert data for artifacts in the batch (stale while revalidate). Actively running analysis will be returned when available on subsequent runs. ## Examples: ### Looking up an npm package: ```json { "components": [ { "purl": "pkg:npm/express@4.19.2" } ] } ``` ### Looking up an PyPi package: ```json { "components": [ { "purl": "pkg:pypi/django@5.0.6" } ] } ``` ### Looking up a Maven package: ```json { "components": [ { "purl": "pkg:maven/log4j/log4j@1.2.17" } ] } ``` ### Batch lookup ```json { "components": [ { "purl": "pkg:npm/express@4.19.2" }, { "purl": "pkg:pypi/django@5.0.6" }, { "purl": "pkg:maven/log4j/log4j@1.2.17" } ] } ``` This endpoint consumes 100 units of your quota. This endpoint requires the following org token scopes: - packages:list - [Get Packages by PURL (Org Scoped)](https://docs.socket.dev/reference/batchpackagefetchbyorg.md): Batch retrieval of package metadata and alerts by PURL strings for a specific organization. Compatible with CycloneDX reports. Package URLs (PURLs) are an ecosystem agnostic way to identify packages. CycloneDX SBOMs use the purl format to identify components. This endpoint supports fetching metadata and alerts for multiple packages at once by passing an array of purl strings, or by passing an entire CycloneDX report. **Note:** This endpoint has a batch size limit (default: 1024 PURLs per request). Requests exceeding this limit will return a 400 Bad Request error. More information on purl and CycloneDX: - [`purl` Spec](https://github.com/package-url/purl-spec) - [CycloneDX Spec](https://cyclonedx.org/specification/overview/#components) This endpoint returns the latest available alert data for artifacts in the batch (stale while revalidate). Actively running analysis will be returned when available on subsequent runs. ## Query Parameters This endpoint supports all query parameters from `POST /v0/purl` including: `alerts`, `actions`, `compact`, `fixable`, `licenseattrib`, `licensedetails`, `purlErrors`, `cachedResultsOnly`, and `summary`. Additionally, you may provide a `labels` query parameter to apply a repository label's security policies. Pass the label slug as the value (e.g., `?labels=production`). Only one label is currently supported. ## Examples: ### Looking up an npm package: ```json { "components": [ { "purl": "pkg:npm/express@4.19.2" } ] } ``` ### Looking up a PyPi package: ```json { "components": [ { "purl": "pkg:pypi/django@5.0.6" } ] } ``` ### Looking up a Maven package: ```json { "components": [ { "purl": "pkg:maven/log4j/log4j@1.2.17" } ] } ``` ### Batch lookup ```json { "components": [ { "purl": "pkg:npm/express@4.19.2" }, { "purl": "pkg:pypi/django@5.0.6" }, { "purl": "pkg:maven/log4j/log4j@1.2.17" } ] } ``` ### With label and options (query parameters): ``` POST /v0/orgs/{org_slug}/purl?labels=production&alerts=true&compact=true { "components": [ { "purl": "pkg:npm/express@4.19.2" } ] } ``` This endpoint consumes 100 units of your quota. This endpoint requires the following org token scopes: - packages:list - [Quota](https://docs.socket.dev/reference/quota.md): This page explains how Socket API quota works - [Associate repository label (beta)](https://docs.socket.dev/reference/associateorgrepolabel.md): Associate a repository label with a repository. Labels can be used to group and organize repositories and to apply security/license policies. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:update - [Create repository label (beta)](https://docs.socket.dev/reference/createorgrepolabel.md): Create a repository label. Labels can be used to group and organize repositories and to apply security/license policies. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:create - [Delete repository label (beta)](https://docs.socket.dev/reference/deleteorgrepolabel.md): Delete a repository label and all of its associations (repositories, security policy, license policy, etc.). This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:delete - [Delete repository label setting (beta)](https://docs.socket.dev/reference/deleteorgrepolabelsetting.md): Delete the setting (e.g. security/license policy) for a repository label. Note that repository label settings currently only support `issueRules` and `issueRulesPolicyDefault`. A policy is considered "active" for a given repository label if the `issueRulesPolicyDefault` is set, and inactive when not set. `issueRules` can be used to further refine the alert triage strategy. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:update - [Disassociate repository label (beta)](https://docs.socket.dev/reference/disassociateorgrepolabel.md): Disassociate a repository label from a repository. Labels can be used to group and organize repositories and to apply security/license policies. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:update - [Get repository label (beta)](https://docs.socket.dev/reference/getorgrepolabel.md): Retrieve a repository label associated with an organization and label ID. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:list - [List repository labels (beta)](https://docs.socket.dev/reference/getorgrepolabellist.md): Lists repository labels for the specified organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:list - [Get repository label setting (beta)](https://docs.socket.dev/reference/getorgrepolabelsetting.md): Retrieve the setting (e.g. security/license policy) for a repository label. Note that repository label settings currently only support `issueRules` and `issueRulesPolicyDefault`. A policy is considered "active" for a given repository label if the `issueRulesPolicyDefault` is set, and inactive when not set. `issueRules` can be used to further refine the alert triage strategy. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:list - [Update repository label (beta)](https://docs.socket.dev/reference/updateorgrepolabel.md): Update a repository label name. Labels can be used to group and organize repositories and to apply security/license policies. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:update - [Update repository label setting (beta)](https://docs.socket.dev/reference/updateorgrepolabelsetting.md): Update the setting (e.g. security/license policy) for a repository label. Note that repository label settings currently only support `issueRules` and `issueRulesPolicyDefault`. A policy is considered "active" for a given repository label if the `issueRulesPolicyDefault` is set, and inactive when not set. `issueRules` can be used to further refine the alert triage strategy. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo-label:update - [Create repository](https://docs.socket.dev/reference/createorgrepo.md): Create a repository. Repos collect Full scans and Diff scans and are typically associated with a git repo. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:create - [Delete repository](https://docs.socket.dev/reference/deleteorgrepo.md): Delete a single repository and all of its associated Full scans and Diff scans. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:delete - [Get repository](https://docs.socket.dev/reference/getorgrepo.md): Retrieve a repository associated with an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:list - [List repositories](https://docs.socket.dev/reference/getorgrepolist.md): Lists repositories for the specified organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:list - [Update repository](https://docs.socket.dev/reference/updateorgrepo.md): Update details of an existing repository. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - repo:update - [Get Organization Security Policy](https://docs.socket.dev/reference/getorgsecuritypolicy.md): Retrieve the security policy of an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - security-policy:read - [Update Security Policy](https://docs.socket.dev/reference/updateorgsecuritypolicy.md): Update the security policy of an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - security-policy:update - [Socket Package URLs (purl)](https://docs.socket.dev/reference/socket-package-urls-purl.md): This page describes how Socket purls work - [Get Organization Telemetry Config](https://docs.socket.dev/reference/getorgtelemetryconfig.md): Retrieve the telemetry config of an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - [Update Telemetry Config](https://docs.socket.dev/reference/updateorgtelemetryconfig.md): Update the telemetry config of an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - telemetry-policy:update - [Get Threat Feed Items (Beta)](https://docs.socket.dev/reference/getorgthreatfeeditems.md): Paginated list of threats, sorted by updated_at by default. Set updated_after to the unix timestamp of your last sync while sorting by updated_at to synchronize all new or updated threats in the feed. This endpoint requires an Enterprise Plan with Threat Feed add-on. [Contact](https://socket.dev/demo?utm_source=api-docs&utm_medium=referral&utm_campaign=tracking) our sales team for more details. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - threat-feed:list - [Get Threat Feed Items (Deprecated)](https://docs.socket.dev/reference/getthreatfeeditems.md): **This endpoint is deprecated.** Use the [successor version](https://docs.socket.dev/reference/getorgthreatfeeditems) instead. Paginated list of threat feed items. This endpoint requires an Enterprise Plan with Threat Feed add-on. [Contact](https://socket.dev/demo?utm_source=api-docs&utm_medium=referral&utm_campaign=tracking) our sales team for more details. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - threat-feed:list - [List Org Alert Triage](https://docs.socket.dev/reference/getorgtriage.md): Get alert triage actions for an organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - triage:alerts-list - [Update Org Alert Triage](https://docs.socket.dev/reference/updateorgalerttriage.md): Update triage actions on organizaton alerts. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - triage:alerts-update - [Create a webhook](https://docs.socket.dev/reference/createorgwebhook.md): Create a new webhook. Returns the created webhook details. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - webhooks:create - [Delete webhook](https://docs.socket.dev/reference/deleteorgwebhook.md): Delete a webhook. This will stop all future webhook deliveries to the webhook URL. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - webhooks:delete - [Get webhook](https://docs.socket.dev/reference/getorgwebhook.md): Get a webhook for the specified organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - webhooks:list - [List all webhooks](https://docs.socket.dev/reference/getorgwebhookslist.md): List all webhooks in the specified organization. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - webhooks:list - [Update webhook](https://docs.socket.dev/reference/updateorgwebhook.md): Update details of an existing webhook. This endpoint consumes 1 unit of your quota. This endpoint requires the following org token scopes: - webhooks:update