This page describes how Socket purls work

What is a Socket purl?

A Socket purl is based on the standard as documented [here](,identify%20and%20locate%20software%20packages.). There is a good description from that page:

A packageUrl (commonly pronounced and referred to as "purl") is an attempt to standardize package representations in order to reliably identify and locate software packages. A purl is a URL string which represents a package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases.

A Socket purl as used with the packages API and the specific definition for the format can be found at the Github Spec.

Constructing a Socket purl

The format for a purl is like the following:


In the case of the Socket Packages endpoint the scheme is always going to be pkg. Here are some examples for different eccosystems:


pkg:npm/[email protected]


pkg:pypi/[email protected]


pkg:maven/log4j/[email protected]