Maintaining the security of open-source software is becoming increasingly challenging, especially since every dependency can lead to dozens or hundreds of transitive dependencies. The security industry is mostly focused on vulnerabilities that have already been discovered. There are many CVE scanners that monitor applications for known vulnerabilities.
Socket has been designed with the assumption that all open-source packages may be malicious. Instead of searching for known vulnerabilities, it tries to detect signs of compromised packages.
Socket has a total of 70 detection markers in five different categories: supply chain risk, quality, maintenance, known vulnerabilities, and license. These issues as signals into the supply chain risk formula that determines whether we will raise an alert
The tool is available as a paid app for GitHub and also has a free version with limited functionality. In the future, the team will be adding more risk detection techniques as well as advanced reporting features. They will also add support for more languages (Java, Go, Python) and integrations with other platforms (GitLab, Bitbucket).