Socket - Rilevamento della Supply Chain e dei Pacchetti Malevoli Cheatsheet
Socket è uno strumento di sicurezza della supply chain del software focalizzato su rilevare i pacchetti malevoli in modo comportamentale piuttosto che solo abbinare CVE noti. Ispeziona ciò che una dipendenza effettivamente fa — script di installazione, accesso alla rete e al filesystem, codice offuscato e altre capacità rischiose — per catturare typosquat e rilasci compromessi che gli scanner basati su firma non riescono a trovare. Copre ecosistemi tra cui npm, PyPI, Go, Maven e altri, e si integra nel flusso di lavoro dello sviluppatore tramite CLI, app GitHub e CI.
Installation
| Method | Command |
|---|
| npm (CLI) | npm install -g @socketsecurity/cli |
| npx (no install) | npx @socketsecurity/cli --help |
| Homebrew | brew install socket |
| pip (Python CLI) | pip install socketsecurity |
| GitHub App | Install the Socket app from the GitHub Marketplace |
| Auth | socket login (set up an API token) |
Core CLI Commands
| Command | Description |
|---|
socket scan create . | Create a new supply-chain scan of the current project |
socket scan list | List previous scans for the org |
socket scan view <ID> | View results of a specific scan |
socket package score npm react | Get the supply-chain score for a package |
socket npm install <pkg> | Wrapper around npm that checks packages before installing |
socket npx <pkg> | Safe npx that vets the package first |
socket ci | Run a scan tuned for CI (non-zero exit on issues) |
socket --help | Full command reference |
What Socket Flags
| Capability/Signal | Why it matters |
|---|
| Install scripts | postinstall hooks are a common malware vector |
| Network access | Unexpected outbound connections at install/runtime |
| Filesystem access | Reading sensitive paths (SSH keys, env files) |
| Shell / process exec | Spawning shells or child processes |
| Obfuscated code | Minified/encoded payloads hiding behavior |
| Typosquats | Names that mimic popular packages |
| Telemetry / exfil | Data collection and exfiltration patterns |
Package Scores
# Inspect a single dependency before adding it
socket package score npm left-pad
socket package score pypi requests
# Compare risk on a candidate vs an alternative
socket package score npm chalk
I punteggi riassumono il rischio della supply chain, la qualità, la manutenzione e le dimensioni della vulnerabilità così puoi giudicare rapidamente una dipendenza.
CI / GitHub Integration
| Integration | Behavior |
|---|
| GitHub App | Comments on PRs that introduce risky dependency changes |
socket ci | Fails the pipeline when a scan exceeds thresholds |
| Config file | socket.yml tunes which issue types block vs warn |
| Diff-aware | Focuses on what a PR adds, reducing noise |
Configuration (socket.yml)
version: 2
issueRules:
installScripts: error
networkAccess: warn
telemetry: warn
obfuscatedCode: error
| Field | Purpose |
|---|
issueRules | Set each capability/issue to error, warn, or ignore |
projectIgnorePaths | Exclude paths from scanning |
Common Workflows
# Vet a dependency before it ever enters package.json
socket npm install some-package
# Gate a pull request in CI
socket ci
# Audit an existing repo's whole dependency tree
socket scan create . && socket scan list
Socket vs Traditional SCA
| Aspect | Socket | Traditional SCA (e.g. CVE matchers) |
|---|
| Primary signal | Behavior/capabilities | Known CVE database matches |
| Catches zero-day malware | Yes (behavioral) | No (needs a known CVE) |
| Typosquat detection | Yes | Limited |
| Best paired with | Syft/Grype, Sigstore | Socket for malware coverage |
Resources
