Today we're excited to announce the 1.0 release of Socket for GitHub – we're finally out of beta! We're shipping a big update to Socket for GitHub to help developers protect their apps from software supply chain attacks. Today, thousands of organizations rely on Socket to prevent bad packages from infiltrating their software supply chain. For those not familiar, here's a quick review of how Socket for GitHub works: Socket watches for changes to “package manifest” files such as package.json, package-lock.json, and yarn.lock. Whenever a new dependency is added in a pull request, Socket analyzes the package's behavior and leaves a comment if it is a security risk. == What's new in 1.0 == The most common feedback we've received from users is that they'd like Socket to detect more issues beyond the typosquat detection that we launched with. We're happy to share that in 1.0, we're upgrading Socket for GitHub to detect 5 additional supply chain security issues. If you've already installed Socket, you will automatically get these improvements – no need to take any action. Starting with today's release, Socket will automatically monitor GitHub pull requests for these software supply chain risks: - 📜 Install scripts - 📞 Telemetry - 🫣 Native code - ☠️ Known Malware - 🧌 Troll packages We selected these package issues – out of the 70+ issues that Socket supports – to bring to Socket for GitHub because we believe they're high-signal and high-confidence, with few false positives. We are always working on improving and extending our analysis to improve coverage and increase reliability. We will continue to add more detections in future releases. Next up on our list is detecting network access, filesystem access, shell access, environment variable access, obfuscated code, and more. We'll release these in Socket for GitHub soon. We are so grateful to the users, customers, and advisors who have supported us so far.

❤️

Wormhole depends on Socket to detect and block malicious dependencies from our open source software supply chain. Socket is a security tool built by the Wormhole team to solve one of the hardest problems in security. The standard approach in industry is to scan for known vulnerabilities (CVEs). But this doesn't proactively catch malware or backdoors in dependencies. It can take months for a CVE to be discovered and reported. In fact, a recent paper found that malware is available on package managers for over 200 days before it's caught. We needed something that could detect and block a bad package before it's been discovered by the open source community, and definitely before it makes it into our codebase. In order to protect Wormhole users, we audit every open source package we use to detect and block dozens of package issues. Most supply chain attacks follow a similar pattern (stealing environment variables, sending data to the network, etc.) so we built a tool that could catch all of the recent NPM supply chain attacks. The tool analyzes the actual behavior of the package instead of relying on stale data in a CVE database. On March 1, 2022 we announced the public launch of Socket to help defend the open source ecosystem. Socket provides the most comprehensive open source risk analysis on the market, and we're releasing it for free for the open source community.

We use Socket to protect our app and love it.

Socket user here! 👋

Congrats, Socket team!