This extension provides automatic reporting of security concerns from Socket Security. The features of this extension aim to provide guidance through all stages of development.
-
Package imports in JavaScript and Python are detected and given summary scores to show concerns with configurable overlays. These overlays will persist even after package installation.
-
Socket detects multiple alternate forms of package imports, including dynamic
import()orrequirein JavaScript orimportlib.import_modulein Python.
Workspaces are run against Socket's reporting utilities upon detection of JavaScript or Python dependencies. Note these also run prior to actual installation: presence in package.json, requirements.txt, or any other supported file is enough.
-
Package dependency files like
package.jsonandpyproject.tomlare run against more thorough issue reporting to see exact issues for each dependency. These are listed in the "Problems" tab for easy access. -
You can hover over package imports in JavaScript or Python code to see a summary of their issues.
- Simplified GitHub application installation is available as a code lens. It detects your username/organization and sets up the installation workflow automatically with a simple click. These reports are more extensive than the ones provided within the extension and include things such as transitive issue aggregation and diffing from one commit to another. If you want these features, please install the GitHub app.
If you are in charge of a team you may wish to setup this up as a recommended extension or other organization level settings. Please refer to our docs.