From 0f490cb2638ad7c1660b3a8363cbe59fd9141aea Mon Sep 17 00:00:00 2001 From: Ivan Sanchez Date: Sat, 28 Feb 2026 02:59:41 -0600 Subject: [PATCH] feat: add Socket Security supply chain scanning --- .github/workflows/socket-security.yml | 20 ++++++++++++ socket.yml | 46 +++++++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 .github/workflows/socket-security.yml create mode 100644 socket.yml diff --git a/.github/workflows/socket-security.yml b/.github/workflows/socket-security.yml new file mode 100644 index 0000000..f728abd --- /dev/null +++ b/.github/workflows/socket-security.yml @@ -0,0 +1,20 @@ +name: Socket Security + +on: + pull_request: + branches: [main] + +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write + security-events: write + steps: + - uses: actions/checkout@v6 + + - uses: SocketDev/socket-security-py-action@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/socket.yml b/socket.yml new file mode 100644 index 0000000..7be9afd --- /dev/null +++ b/socket.yml @@ -0,0 +1,46 @@ +version: 2 + +issueRules: + # Supply chain threats — critical for a security plugin + malware: true + didYouMean: true + gptMalware: true + installScripts: true + obfuscatedFile: true + manifestConfusion: true + troll: true + + # Runtime behavior — high relevance for a sandboxing project + networkAccess: true + shellAccess: true + envVars: true + filesystemAccess: true + usesEval: true + + # Dependency sourcing risks + gitDependency: true + httpDependency: true + gitHubDependency: true + + # Ownership and maintenance + unstableOwnership: true + newAuthor: true + deprecated: true + unmaintained: true + + # Vulnerability tracking + criticalCVE: true + cve: true + mediumCVE: true + + # Quality signals + trivialPackage: true + highEntropyStrings: true + debugAccess: true + telemetry: true + +githubApp: + enabled: true + pullRequestAlertsEnabled: true + dependencyOverviewEnabled: true + projectReportsEnabled: true