Socket - Supply Chain & Malicious Package Detection Cheatsheet
Socket is a software supply chain security tool focused on detecting malicious packages behaviorally rather than only matching known CVEs. It inspects what a dependency actually does — install scripts, network and filesystem access, obfuscated code, and other risky capabilities — to catch typosquats and compromised releases that signature-based scanners miss. It covers ecosystems including npm, PyPI, Go, Maven, and others, and integrates into the developer workflow via CLI, GitHub app, and CI.
Installation
| Method | Command |
|---|
| npm (CLI) | npm install -g @socketsecurity/cli |
| npx (no install) | npx @socketsecurity/cli --help |
| Homebrew | brew install socket |
| pip (Python CLI) | pip install socketsecurity |
| GitHub App | Install the Socket app from the GitHub Marketplace |
| Auth | socket login (set up an API token) |
Core CLI Commands
| Command | Description |
|---|
socket scan create . | Create a new supply-chain scan of the current project |
socket scan list | List previous scans for the org |
socket scan view <ID> | View results of a specific scan |
socket package score npm react | Get the supply-chain score for a package |
socket npm install <pkg> | Wrapper around npm that checks packages before installing |
socket npx <pkg> | Safe npx that vets the package first |
socket ci | Run a scan tuned for CI (non-zero exit on issues) |
socket --help | Full command reference |
What Socket Flags
| Capability/Signal | Why it matters |
|---|
| Install scripts | postinstall hooks are a common malware vector |
| Network access | Unexpected outbound connections at install/runtime |
| Filesystem access | Reading sensitive paths (SSH keys, env files) |
| Shell / process exec | Spawning shells or child processes |
| Obfuscated code | Minified/encoded payloads hiding behavior |
| Typosquats | Names that mimic popular packages |
| Telemetry / exfil | Data collection and exfiltration patterns |
Package Scores
# Inspect a single dependency before adding it
socket package score npm left-pad
socket package score pypi requests
# Compare risk on a candidate vs an alternative
socket package score npm chalk
Scores summarize supply-chain risk, quality, maintenance, and vulnerability dimensions so you can judge a dependency quickly.
CI / GitHub Integration
| Integration | Behavior |
|---|
| GitHub App | Comments on PRs that introduce risky dependency changes |
socket ci | Fails the pipeline when a scan exceeds thresholds |
| Config file | socket.yml tunes which issue types block vs warn |
| Diff-aware | Focuses on what a PR adds, reducing noise |
Configuration (socket.yml)
version: 2
issueRules:
installScripts: error
networkAccess: warn
telemetry: warn
obfuscatedCode: error
| Field | Purpose |
|---|
issueRules | Set each capability/issue to error, warn, or ignore |
projectIgnorePaths | Exclude paths from scanning |
Common Workflows
# Vet a dependency before it ever enters package.json
socket npm install some-package
# Gate a pull request in CI
socket ci
# Audit an existing repo's whole dependency tree
socket scan create . && socket scan list
Socket vs Traditional SCA
| Aspect | Socket | Traditional SCA (e.g. CVE matchers) |
|---|
| Primary signal | Behavior/capabilities | Known CVE database matches |
| Catches zero-day malware | Yes (behavioral) | No (needs a known CVE) |
| Typosquat detection | Yes | Limited |
| Best paired with | Syft/Grype, Sigstore | Socket for malware coverage |
Resources
