diff --git a/skills/socket-dep-patch/SKILL.md b/skills/socket-dep-patch/SKILL.md index 3c059b8..2beacdc 100644 --- a/skills/socket-dep-patch/SKILL.md +++ b/skills/socket-dep-patch/SKILL.md @@ -33,7 +33,8 @@ Use `/socket-dep-patch` when you want to fix vulnerabilities without risking bre ## Prerequisites -No API key is required for `socket-patch apply`. It works on the free tier. +- No API key is required for `socket-patch`. It works on the free tier. +- **Dependencies must be installed before patching.** `socket-patch` operates on installed packages (e.g. `node_modules/`). If dependencies are not yet installed, run the project's install command first (e.g. `npm install`, `pnpm install`, `bun install`, `pip install -r requirements.txt`). ## Step 1: Install socket-patch @@ -53,25 +54,25 @@ Verify installation: socket-patch --version ``` -## Step 2: Scan for Patchable Vulnerabilities +## Step 2: Scan for Available Patches -Before applying patches, do a dry run to see what would be patched: +Run `socket-patch scan` to discover which installed packages have Socket patches available. This downloads patch metadata to the `.socket/` folder without modifying any packages. ``` -socket-patch apply --dry-run +socket-patch scan ``` -This shows which packages have Socket patches available without modifying anything. +Review the output to see which packages have patches available and what vulnerabilities they address. ## Step 3: Apply Patches -Apply all available patches: +Apply all patches discovered by `socket-patch scan`: ``` socket-patch apply ``` -This modifies vulnerable packages in-place within `node_modules/` (or the equivalent for other ecosystems) by applying binary-level fixes. No version numbers change in your manifest or lock files. +This applies patches from the `.socket/` folder to installed packages (e.g. within `node_modules/`). No version numbers change in your manifest or lock files. After patching, verify the project still works: @@ -81,7 +82,7 @@ After patching, verify the project still works: ## Step 4: Verify -1. Run `socket-patch apply --dry-run` to confirm all available patches were applied +1. Run `socket-patch scan` to confirm all available patches were applied 2. Run the build to ensure nothing breaks 3. Commit `.socket/manifest.json` to version control to track which patches are applied @@ -96,8 +97,9 @@ To keep patches applied automatically in CI/CD or via postinstall hooks, use the ## Error Handling - **`socket-patch` not found**: Install it using one of the methods in Step 1. For CI, ensure the install step runs before `socket-patch apply`. -- **No patches available**: This means Socket doesn't have binary patches for the current vulnerabilities. Consider using the `/socket-dep-upgrade` skill to upgrade versions instead. -- **Build fails after patching**: Run `socket-patch apply --dry-run` to identify which patch caused the issue. Report the failing patch so the user can decide whether to skip it. +- **"No .socket folder found, skipping patch application"**: Dependencies may not be installed, or `socket-patch scan` was not run first. Ensure dependencies are installed (e.g. `npm install`), then run `socket-patch scan` before `socket-patch apply`. +- **No patches available**: Run `socket-patch scan` first to check. If scan finds nothing, Socket doesn't have binary patches for the current vulnerabilities. Consider using the `/socket-dep-upgrade` skill to upgrade versions instead. +- **Build fails after patching**: Run `socket-patch scan` to identify which patches are available, then apply selectively. Report the failing patch so the user can decide whether to skip it. - **Permission errors**: Ensure write access to `node_modules/` or the equivalent dependency directory. ## Tips diff --git a/skills/socket-fix/SKILL.md b/skills/socket-fix/SKILL.md index 0cac7ca..86c9552 100644 --- a/skills/socket-fix/SKILL.md +++ b/skills/socket-fix/SKILL.md @@ -19,6 +19,21 @@ This skill is an **orchestrator**. It does not have its own tools — it delegat - The user asks for a safe or conservative dependency repair - The user wants to progressively increase aggressiveness (start safe, escalate if needed) +## Prerequisites + +This orchestrator delegates to sub-skills with mixed authentication requirements: + +- `/socket-dep-cleanup` — **NO** account required +- `/socket-dep-patch` (`socket-patch apply`) — **NO** account required +- `/socket-dep-upgrade` (`socket fix`, `socket scan create`) — **account REQUIRED** +- `/socket-dep-replace` (`socket fix`, `socket scan create`) — **account REQUIRED** + +**Without a Socket account**, only Level 1 (Conservative) is fully available, as it uses only cleanup and patches. Levels 2 and 3 use `socket fix` for vulnerability discovery and upgrades, which requires authentication. + +If the user does not have a Socket account and requests Level 2 or 3, explain the limitation and either: +- Help them create an account at https://socket.dev, then proceed +- Fall back to Level 1 (cleanup + patches only) + ## Step 1: Detect Environment Before any repair work, identify the project's ecosystem and dependency landscape. @@ -26,6 +41,7 @@ Before any repair work, identify the project's ecosystem and dependency landscap 1. **Detect ecosystems** — check for manifest and lock files (`package.json`, `requirements.txt`, `go.mod`, `Cargo.toml`, etc.) to determine which package managers are in use 2. **Parse dependencies** — read manifest files to build a list of all direct dependencies (production and dev) 3. **Detect CI** — check for CI/CD configuration (`.github/workflows/`, `.gitlab-ci.yml`, `bitbucket-pipelines.yml`, etc.) to understand the project's build and test infrastructure +4. **Ensure dependencies are installed** — check for the presence of the dependency directory (`node_modules/`, `vendor/`, etc.). If dependencies are not installed, run the project's install command using the detected package manager (e.g. `npm install`, `pnpm install`, `bun install`). This is required for both patching (Phase 1b) and accurate unused dependency detection (Phase 1a). Report a brief summary: @@ -36,6 +52,7 @@ Environment detected: CI: GitHub Actions (Node 18/20 matrix) Build command: npm run build Test command: npm test + Dependencies installed: yes (node_modules/ present) ``` ## Step 2: Select Aggressiveness Level @@ -78,8 +95,9 @@ For each dependency in the project: Execute the `/socket-dep-patch` workflow: -1. Run `socket-patch apply --dry-run` to preview available patches -2. Apply all patches with `socket-patch apply` +1. Ensure dependencies are installed (should have been verified in Step 1) +2. Run `socket-patch scan` to discover available patches +3. Apply all patches with `socket-patch apply` 3. Build and test to verify nothing broke 4. Commit the patch manifest (`.socket/manifest.json`) @@ -153,7 +171,8 @@ Aggressive repair. Apply everything possible, skip and continue on individual fa ### Phase 3c: Patch Everything Remaining -1. Run `socket-patch apply` on everything remaining +1. Run `socket-patch scan` to discover patches for remaining dependencies +2. Run `socket-patch apply` to apply all discovered patches 2. Build and test 3. Commit patch manifest @@ -196,6 +215,7 @@ Repair Complete (Level 2 — Cautious) - **Build/test command unknown**: Ask the user for the correct build and test commands before starting repair. - **Socket CLI not available**: Binary patches and `socket fix` require the Socket CLI. Suggest running `/socket-setup` first, or fall back to cleanup-only mode (Phase 1a only). - **All upgrades fail in Level 3**: If every upgrade attempt fails, report what was tried and suggest the user investigate manually. The cleanup and patch phases may still have succeeded. +- **Authentication required**: Levels 2 and 3 use `socket fix` which requires a Socket account and API token. If the user is not authenticated, fall back to Level 1 (cleanup + patches only). To authenticate, run `socket login` or set `SOCKET_CLI_API_TOKEN`. To create an account, visit https://socket.dev. - **Network errors**: `socket fix` and `socket-patch` require network access. Check connectivity and retry once before skipping. ## Tips diff --git a/skills/socket-setup/SKILL.md b/skills/socket-setup/SKILL.md index 6559267..a392bc9 100644 --- a/skills/socket-setup/SKILL.md +++ b/skills/socket-setup/SKILL.md @@ -17,32 +17,105 @@ description: Set up Socket — prompt for API key, install the CLI, authenticate - User wants to configure Socket policies (`socket.yml`) - User wants to set up API tokens for CI or local development - User is having trouble authenticating +- User wants to install Socket tools globally for local development +- User wants to integrate Socket into Dockerfiles -## Step 1: Prompt for API Key -- Ask: do you want the **free** tier or **enterprise** tier? -- Free: no API key needed (free firewall, socket-patch apply) -- Enterprise: collect API key or guide to socket.dev to create one - - Sign in: https://socket.dev/auth/login +## Step 1: Check Prerequisites + +Run the helper to detect installed tools and their versions: + +``` +node scripts/helpers/socket-setup.mjs check-prereqs --dir . +``` + +Output example: +```json +{ + "node": { "installed": true, "version": "20.11.0", "ok": true }, + "socketCli": { "installed": true, "version": "1.2.3", "ok": true, "needsUpdate": false }, + "sfw": { "installed": false }, + "socketPatch": { "installed": false }, + "packageManager": "npm" +} +``` + +Handle results: + +- If `node.installed` is false: prompt the user to install Node.js. Suggest: + - **nvm** (recommended): `curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash` then `nvm install 20` + - **Homebrew** (macOS): `brew install node` + - **Official installer**: https://nodejs.org/ +- If `node.ok` is false: warn that Node.js 18+ is required and suggest upgrading +- If `socketCli.needsUpdate` is true: warn that the Socket CLI is below 1.x and prompt to update with `npm install -g socket@latest` +- If `socketCli.installed` is false: proceed to Step 3 (Install the CLI) + +## Step 2: Ask About Socket Account + +Ask the user whether they have or want to create a Socket account. There are three tiers: + +- **No account (free tools only)**: No sign-up required. Only `sfw` (firewall wrapper) and `socket-patch apply` (binary patches) are available. **Scanning (`socket scan create`), `socket fix`, package inspection (`/socket-inspect`), policy configuration, and dashboard access are NOT available without an account.** +- **Free account**: Create one at https://socket.dev. Enables `socket scan create`, `socket fix`, and dashboard access. All free-tools-only features are also available. + - Sign up / sign in: https://socket.dev/auth/login - Token page: https://socket.dev/dashboard/org/{ORG}/settings/integrations/api-tokens -- Store the tier choice for subsequent steps +- **Enterprise account**: All free account features plus reachability analysis (`socket scan reach`), policy configuration (`socket.yml`), and organization-level management. + +Store the tier choice for subsequent steps. + +## Step 3: Install the CLI +- Prerequisites: Node.js 18+ (verified in Step 1) +- `npm install -g socket` +- Verify: `socket --version` +- After install, re-run the helper to confirm the version is >= 1.x: + ``` + node scripts/helpers/socket-setup.mjs check-prereqs --dir . + ``` +- If `socketCli.ok` is false after install, error and suggest `npm install -g socket@latest` +- PATH troubleshooting: if `socket` is not found, check that the npm global bin directory is in `PATH` (run `npm bin -g` to find it) + +## Step 4: Authenticate (requires a Socket account) +- Interactive: `socket login` +- Manual token: `SOCKET_CLI_API_TOKEN` env var +- Verify: `socket organization list` +- Skip entirely if the user chose no-account in Step 2 +- **Authentication is required for scanning (`socket scan create`) and `socket fix`**, not just enterprise features + +## Step 5: Ask What to Set Up + +Ask the user which features to set up. Annotate each with its account requirement: -## Step 2: Install the CLI -- Prerequisites: Node.js 18+ -- npm install -g socket -- Verify: socket --version -- PATH troubleshooting +- **Firewall** (`sfw`) — no account needed +- **Patches** (`socket-patch apply`) — no account needed +- **Global Tools** — no account needed +- **Dockerfile Integration** — no account needed +- **Policies** (`socket.yml`) — enterprise only -## Step 3: Authenticate (Enterprise only) -- Interactive: socket login -- Manual token: SOCKET_CLI_API_TOKEN env var -- Verify: socket organization list -- Skip entirely for free tier +If the user asks for scanning or `socket fix` without an account, explain that these features require a Socket account and offer to help them create one at https://socket.dev. -## Step 4: Ask What to Set Up -- Ask the user: do you want to set up **Firewall**, **Patches**, **Policies** (enterprise only), or a combination? -- Route to the appropriate section(s) below +Route to the appropriate section(s) below. -## Step 5: Detect SCM and CI System +## Step 6: Global Tools Installation + +Ask the user if they want to install Socket tools globally (for local development) or just for CI. + +If global, install all tools via npm: + +``` +npm install -g socket +npm install -g sfw +npm install -g @socketsecurity/socket-patch +``` + +After installing, re-run the helper to verify each tool is available: + +``` +node scripts/helpers/socket-setup.mjs check-prereqs --dir . +``` + +Confirm that `socketCli.installed`, `sfw.installed`, and `socketPatch.installed` are all true. + +If any tool fails to install, check PATH and retry. The npm global bin directory can be found with `npm bin -g`. + +## Step 7: Detect SCM and CI System Run the CI detection helper for automated detection: @@ -79,6 +152,8 @@ Or manually detect: Replace `{platform}` with `linux-x64`, `darwin-arm64`, etc. as appropriate. +All Socket tools (sfw, socket-patch, socket CLI) are npm packages. The standalone curl method remains available for CI environments that may not have npm. + ### GitHub Actions - Use SocketDev/action@v1 - Free tier: mode: firewall-free (no socket-token needed) @@ -123,109 +198,6 @@ Replace `{platform}` with `linux-x64`, `darwin-arm64`, etc. as appropriate. - `npm install -g sfw` (or standalone binary as above) - Usage: `sfw npm install`, `sfw pip install`, etc. -## Socket Policy Configuration - -> **Enterprise only** — free tier users cannot configure policies. Skip this section if on the free tier. - -Configure Socket policies to control which issues are flagged during scans and CI checks. - -### Repository-Level Policy (`socket.yml`) - -Create or edit `socket.yml` in the repository root: - -```yaml -issueRules: - # CVE severity thresholds - criticalCVE: error # Block on critical CVEs - highCVE: warn # Warn on high CVEs - mediumCVE: ignore # Ignore medium CVEs - - # Supply-chain alerts - installScripts: error # Block packages with install scripts - networkAccess: warn # Warn on unexpected network access - shellAccess: warn # Warn on shell execution - filesystemAccess: ignore # Ignore filesystem access alerts - envVarsAccess: warn # Warn on environment variable reads - obfuscatedCode: error # Block obfuscated code - - # Malware - malware: error # Always block malware - - # License compliance - gplLicense: warn # Warn on GPL licenses - noLicense: warn # Warn on packages with no license - nonPermissiveLicense: warn # Warn on restrictive licenses - -projectIgnorePaths: - - "test/**" - - "tests/**" - - "examples/**" - - "docs/**" - - "__fixtures__/**" -``` - -Issue rule values: -- `error` — fail the check / block the PR -- `warn` — report but don't fail -- `ignore` — suppress entirely - -### Dashboard Policy Management (Enterprise) - -For enterprise customers, policies can also be managed via the Socket dashboard: - -- **Organization-level**: `https://socket.dev/dashboard/org/{ORG}/settings/policies` -- **Repository-level**: `https://socket.dev/dashboard/org/{ORG}/repo/{REPO}/settings/policies` - -### Policy Priority Order - -When multiple policies exist, they are applied in this order (highest priority first): - -1. Repository `socket.yml` in repo root -2. Organization-level dashboard policy -3. Socket defaults - -Repository-level settings override organization-level settings, which override defaults. - -## API Token Configuration - -Different Socket features use different tokens. Set up the appropriate tokens for your use case. - -### Token Types - -| Token | Environment Variable | Used By | Required For | -|-------|---------------------|---------|--------------| -| CLI API Token | `SOCKET_CLI_API_TOKEN` | Socket CLI (`socket` commands), CI/CD | Enterprise scans, `socket fix`, `socket organization list` | -| Security API Key | `SOCKET_SECURITY_API_KEY` | Batch PURL API (`api.socket.dev`) | Package inspection, license auditing | -| GitHub Action Token | `socket-token` (GitHub secret) | `SocketDev/action@v1` | Enterprise firewall mode in GitHub Actions | - -### Creating Tokens - -1. Sign in to the Socket dashboard: https://socket.dev/auth/login -2. Navigate to your organization's API tokens page: `https://socket.dev/dashboard/org/{ORG}/settings/integrations/api-tokens` -3. Create a new token with the appropriate scope -4. Copy the token value — it is only shown once - -### Setting Tokens per CI System - -| CI System | How to Set Secrets | -|-----------|-------------------| -| GitHub Actions | Repository Settings → Secrets and variables → Actions → New repository secret | -| GitLab CI | Settings → CI/CD → Variables → Add variable (masked, protected) | -| Bitbucket Pipelines | Repository settings → Repository variables | -| CircleCI | Project Settings → Environment Variables | -| Jenkins | Credentials → Add Credentials → Secret text | -| Azure Pipelines | Pipelines → Library → Variable groups | - -### Local Development - -For local development, authenticate using one of: - -- **Interactive login**: `socket login` (stores credentials in `~/.socket/`) -- **Environment variable**: Set `SOCKET_CLI_API_TOKEN` in your shell profile or `.env.local` -- **Per-project**: Add `SOCKET_SECURITY_API_KEY` to `.env.local` (ensure `.env.local` is in `.gitignore`) - -**Never commit API tokens to version control.** Use `socket login` locally and environment variables / secrets in CI. - ## Patch Infrastructure Setup Set up automated patching so `socket-patch apply` runs after every dependency install. For one-time manual patching, use the `/socket-dep-patch` skill instead. @@ -250,7 +222,7 @@ Before configuring automation, scan the project to find ALL places where depende | `pyproject.toml` / `setup.py` | build system config | | `Cargo.toml` | build scripts | -For each location, record the file path, the install command, and where to insert `socket-patch apply` (after install, before build). +For each location, record the file path, the install command, and where to insert `socket-patch scan` and `socket-patch apply` (after install, before build). Present findings to the user before making changes. @@ -260,14 +232,14 @@ Use the appropriate command to run `socket-patch` based on the project's package | Package Manager | Run socket-patch | |----------------|-----------------| -| npm | `npx @socketsecurity/socket-patch apply` | -| pnpm | `pnpx @socketsecurity/socket-patch apply` | -| yarn | `npx @socketsecurity/socket-patch apply` | -| bun | `bunx @socketsecurity/socket-patch apply` | -| deno | `deno run npm:@socketsecurity/socket-patch apply` | -| Python | `pipx run socket-patch apply` (if pipx available), else `pip install socket-patch && socket-patch apply` | -| Standalone | `curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh \| sh` then `socket-patch apply` | -| GitHub Actions | `SocketDev/action@v1` with `mode: patch` (preferred) | +| npm | `npx @socketsecurity/socket-patch scan` then `npx @socketsecurity/socket-patch apply` | +| pnpm | `pnpx @socketsecurity/socket-patch scan` then `pnpx @socketsecurity/socket-patch apply` | +| yarn | `npx @socketsecurity/socket-patch scan` then `npx @socketsecurity/socket-patch apply` | +| bun | `bunx @socketsecurity/socket-patch scan` then `bunx @socketsecurity/socket-patch apply` | +| deno | `deno run npm:@socketsecurity/socket-patch scan` then `deno run npm:@socketsecurity/socket-patch apply` | +| Python | `pipx run socket-patch scan && pipx run socket-patch apply` (if pipx available), else `pip install socket-patch && socket-patch scan && socket-patch apply` | +| Standalone | `curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh | sh` then `socket-patch scan && socket-patch apply` | +| GitHub Actions | `SocketDev/action@v1` with `mode: patch` (preferred — handles scan+apply automatically) | Use the appropriate runner (`npx`, `pnpx`, `bunx`, etc.) based on the detected package manager in the sections below. @@ -293,6 +265,7 @@ Add a step to install `socket-patch` and apply patches after dependency install. before_script: - curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh | sh - npm install + - socket-patch scan - socket-patch apply ``` @@ -304,6 +277,7 @@ Add a step to install `socket-patch` and apply patches. Use the appropriate pack script: - curl -fsSL https://raw.githubusercontent.com/SocketDev/socket-patch/main/install.sh | sh - npm install + - socket-patch scan - socket-patch apply ``` @@ -313,7 +287,8 @@ Generic pattern for any CI system: 1. Install `socket-patch` via curl, npm, or the appropriate package manager runner (see reference table above) 2. Run your normal dependency install step -3. Run `socket-patch apply` after install, before build +3. Run `socket-patch scan` to discover available patches +4. Run `socket-patch apply` after scan, before build ### Local Development (npm Projects) @@ -323,7 +298,7 @@ Run `socket-patch setup` to add a postinstall hook to `package.json`: socket-patch setup ``` -This auto-adds `"postinstall": "socket-patch apply"` to your `package.json` scripts, so patches are applied every time `npm install` runs. +This auto-adds a postinstall hook to your `package.json` scripts that runs `socket-patch scan && socket-patch apply` every time `npm install` runs. ### Dockerfile Patterns @@ -334,6 +309,7 @@ FROM node:20-alpine WORKDIR /app COPY package*.json ./ RUN npm ci +RUN npx @socketsecurity/socket-patch scan RUN npx @socketsecurity/socket-patch apply COPY . . RUN npm run build @@ -346,6 +322,7 @@ Add a patch target that runs after install. Adapt commands to match the project' ```makefile install: npm ci + socket-patch scan socket-patch apply build: install @@ -356,9 +333,199 @@ build: install If the project uses an unusual build system, use the appropriate package manager runner (see reference table above): -- **Interpreted projects** (Python, Ruby): add `socket-patch apply` after `pip install` / `bundle install` -- **Compiled projects** (Rust, Go, Java): add after dependency fetch, before compile -- **Containers**: add a `RUN socket-patch apply` layer after the install layer +- **Interpreted projects** (Python, Ruby): add `socket-patch scan && socket-patch apply` after `pip install` / `bundle install` +- **Compiled projects** (Rust, Go, Java): add `socket-patch scan && socket-patch apply` after dependency fetch, before compile +- **Containers**: add `RUN socket-patch scan` and `RUN socket-patch apply` layers after the install layer + +## Dockerfile Integration + +Detect Dockerfiles and edit them directly to integrate Socket's firewall and/or patch tools. + +### Step 1: Detect Dockerfiles + +Run the helper to find all Dockerfiles in the project: + +``` +node scripts/helpers/socket-setup.mjs detect-dockerfiles --dir . +``` + +Output example: +```json +{ + "dockerfiles": [ + { + "path": "Dockerfile", + "installLines": [ + { "line": 5, "command": "RUN npm ci", "ecosystem": "npm" } + ], + "hasSfw": false, + "hasPatch": false + } + ] +} +``` + +If no Dockerfiles are found or none contain dependency install steps, skip this section. + +### Step 2: Read and Edit Dockerfiles + +For each Dockerfile that has install steps, read the file and apply edits directly. + +**Determine the mode** based on what the user chose in Step 5 (Firewall, Patches, or both). + +**For each install line** reported by `detect-dockerfiles`: + +- **Firewall mode**: Insert `RUN npm install -g sfw` on a new line before the install step. Prefix the install command with `sfw` (e.g., `RUN npm ci` → `RUN sfw npm ci`). +- **Patch mode**: Insert `RUN npx @socketsecurity/socket-patch scan` and `RUN npx @socketsecurity/socket-patch apply` on new lines after the install step, before any build or COPY steps. +- **Both modes**: Apply both sets of changes (sfw install + prefix before, socket-patch after). + +**Rules**: +- Only modify stages that have dependency install steps (multi-stage build awareness — check for `FROM` lines to identify stage boundaries) +- Skip lines that already contain `sfw` (check `hasSfw` from detection output) or `socket-patch` (check `hasPatch`) to ensure idempotency +- Use the appropriate package manager runner for socket-patch (`npx` for npm, `pnpx` for pnpm, `bunx` for bun — see Package Manager Reference table) + +### Step 3: Present Changes for Approval + +Before writing the modified Dockerfile, present the proposed changes to the user and explain each edit: +- **Firewall**: inserts `RUN npm install -g sfw` before the install step, prefixes the install command with `sfw` +- **Patches**: inserts `RUN npx @socketsecurity/socket-patch scan` and `RUN npx @socketsecurity/socket-patch apply` after the install step, before build/copy steps + +Only write the file after the user approves. + +**Example** — a Dockerfile before and after (both modes): + +Before: +```dockerfile +FROM node:20-alpine +WORKDIR /app +COPY package*.json ./ +RUN npm ci +COPY . . +RUN npm run build +``` + +After: +```dockerfile +FROM node:20-alpine +WORKDIR /app +COPY package*.json ./ +RUN npm install -g sfw +RUN sfw npm ci +RUN npx @socketsecurity/socket-patch scan +RUN npx @socketsecurity/socket-patch apply +COPY . . +RUN npm run build +``` + +## Socket Policy Configuration + +> **Enterprise only** — free tier users cannot configure policies. Skip this section if on the free tier. + +Configure Socket policies to control which issues are flagged during scans and CI checks. + +### Repository-Level Policy (`socket.yml`) + +Generate a `socket.yml` template using the helper: + +``` +node scripts/helpers/socket-setup.mjs generate-config --tier enterprise > socket.yml +``` + +This creates a `socket.yml` with `version: 2` and default issue rules: + +```yaml +version: 2 +issueRules: + # CVE severity thresholds + criticalCVE: error # Block on critical CVEs + highCVE: warn # Warn on high CVEs + mediumCVE: ignore # Ignore medium CVEs + + # Supply-chain alerts + installScripts: error # Block packages with install scripts + networkAccess: warn # Warn on unexpected network access + shellAccess: warn # Warn on shell execution + filesystemAccess: ignore # Ignore filesystem access alerts + envVarsAccess: warn # Warn on environment variable reads + obfuscatedCode: error # Block obfuscated code + + # Malware + malware: error # Always block malware + + # License compliance + gplLicense: warn # Warn on GPL licenses + noLicense: warn # Warn on packages with no license + nonPermissiveLicense: warn # Warn on restrictive licenses + +projectIgnorePaths: + - "test/**" + - "tests/**" + - "examples/**" + - "docs/**" + - "__fixtures__/**" +``` + +Issue rule values: +- `error` — fail the check / block the PR +- `warn` — report but don't fail +- `ignore` — suppress entirely + +### Dashboard Policy Management (Enterprise) + +For enterprise customers, policies can also be managed via the Socket dashboard: + +- **Organization-level**: `https://socket.dev/dashboard/org/{ORG}/settings/policies` +- **Repository-level**: `https://socket.dev/dashboard/org/{ORG}/repo/{REPO}/settings/policies` + +### Policy Priority Order + +When multiple policies exist, they are applied in this order (highest priority first): + +1. Repository `socket.yml` in repo root +2. Organization-level dashboard policy +3. Socket defaults + +Repository-level settings override organization-level settings, which override defaults. + +## API Token Configuration + +Different Socket features use different tokens. Set up the appropriate tokens for your use case. + +### Token Types + +| Token | Environment Variable | Used By | Required For | +|-------|---------------------|---------|--------------| +| CLI API Token | `SOCKET_CLI_API_TOKEN` | Socket CLI (`socket` commands), CI/CD | Enterprise scans, `socket fix`, `socket organization list` | +| Security API Key | `SOCKET_SECURITY_API_KEY` | Batch PURL API (`api.socket.dev`) | Package inspection, license auditing | +| GitHub Action Token | `socket-token` (GitHub secret) | `SocketDev/action@v1` | Enterprise firewall mode in GitHub Actions | + +### Creating Tokens + +1. Sign in to the Socket dashboard: https://socket.dev/auth/login +2. Navigate to your organization's API tokens page: `https://socket.dev/dashboard/org/{ORG}/settings/integrations/api-tokens` +3. Create a new token with the appropriate scope +4. Copy the token value — it is only shown once + +### Setting Tokens per CI System + +| CI System | How to Set Secrets | +|-----------|-------------------| +| GitHub Actions | Repository Settings → Secrets and variables → Actions → New repository secret | +| GitLab CI | Settings → CI/CD → Variables → Add variable (masked, protected) | +| Bitbucket Pipelines | Repository settings → Repository variables | +| CircleCI | Project Settings → Environment Variables | +| Jenkins | Credentials → Add Credentials → Secret text | +| Azure Pipelines | Pipelines → Library → Variable groups | + +### Local Development + +For local development, authenticate using one of: + +- **Interactive login**: `socket login` (stores credentials in `~/.socket/`) +- **Environment variable**: Set `SOCKET_CLI_API_TOKEN` in your shell profile or `.env.local` +- **Per-project**: Add `SOCKET_SECURITY_API_KEY` to `.env.local` (ensure `.env.local` is in `.gitignore`) + +**Never commit API tokens to version control.** Use `socket login` locally and environment variables / secrets in CI. ## Error Handling @@ -367,12 +534,18 @@ If the project uses an unusual build system, use the appropriate package manager - **`socket organization list` returns empty**: The API token may lack organization access. Verify the token at https://socket.dev/dashboard and ensure it has the correct scopes. - **`sfw` not intercepting installs**: Ensure `sfw` is in `PATH` before the package manager. In CI, verify the install step runs before any dependency install commands. - **GitHub Action fails with permission errors**: Ensure the `socket-token` secret is set correctly in the repository settings and the workflow has `contents: read` permission. +- **Socket CLI version < 1.x**: Run `npm install -g socket@latest` to update. Verify with `node scripts/helpers/socket-setup.mjs check-prereqs`. +- **Dockerfile editing issues**: Run `detect-dockerfiles` to verify which files and lines need changes. Only edit stages with dependency install steps and skip lines that already contain `sfw` or `socket-patch`. ## Tips - Never commit API tokens. Use `socket login` locally, env vars in CI. -- `socket-patch apply` does not require an API key. +- `socket-patch apply` does not require an API key or Socket account. +- `socket scan create`, `socket fix`, and `/socket-inspect` **require** a Socket account and API token. Without an account, only `sfw` and `socket-patch apply` are available. If a user needs scanning, fix, or package inspection capabilities, help them create an account at https://socket.dev. - Use `SocketDev/action@v1` (correct casing) in GitHub workflow files. - For monorepos, use `patch-cwd` to target specific directories. - After setup, use the `/socket-scan` skill for a first audit and the `/socket-inspect` skill for package inspection. - For GitHub repos, consider also installing the Socket Security GitHub App for automatic PR scanning. +- Run `node scripts/helpers/socket-setup.mjs check-prereqs` at any time to verify tool installation status. +- Use `node scripts/helpers/socket-setup.mjs detect-dockerfiles --dir .` to find all Dockerfiles before manual editing. +- The generated `socket.yml` uses `version: 2` — ensure this line is preserved when editing policies.