Evaluate and enable Socket.dev for supply chain security #163
Description
Summary
Evaluate Socket.dev as an additional supply chain security layer across all SmartEM repos. Socket performs behavioural analysis of package code, catching threats that have no CVE yet — a gap in our current tooling.
Current Security Stack
| Tool | What it covers |
|---|---|
| Dependabot | Known CVEs in dependencies, automated version bump PRs |
| OSV-Scanner | Known vulns from OSV database (broader than NVD) |
| GitHub Secret Scanning | Leaked credentials/tokens in commits |
| Grype (evaluating) | CVE matching with EPSS exploit probability scoring |
| Trivy (evaluating) | CVEs + IaC misconfig + secrets + licence compliance |
All of these are reactive — they match dependencies against databases of already-known vulnerabilities.
What Socket Adds
Socket does behavioural/static analysis of package source code, detecting:
- Malicious packages — malware, data exfiltration, crypto-miners
- Typosquatting — packages with names deceptively similar to popular ones
- Install script abuse —
preinstall/postinstallhooks executing arbitrary code - Obfuscated code — base64-encoded payloads, minified malicious logic
- Risky API usage — unexpected network calls, filesystem writes,
eval(), env var access - Maintainer takeover signals — ownership changes, abandoned-then-revived packages
- Telemetry/data collection — packages phoning home without disclosure
This covers the zero-day window between a malicious package being published and a CVE being issued — a period where none of our current tools provide protection.
Attack Surface
Our repos have mixed npm + PyPI dependencies across 8+ projects:
| Repo | Ecosystem | Package Manager |
|---|---|---|
| smartem-frontend | npm | npm |
| smartem-devtools | npm | npm |
| sci-react-ui | npm | pnpm |
| pato-frontend | npm | yarn |
| smartem-decisions | PyPI | pip/uv |
| smartem-devtools (Python) | PyPI | pip |
| cryoem-services | PyPI | pip |
| fandanGO-cryoem-dls | PyPI | pip (requirements.txt, no lock file) |
npm is the most heavily targeted ecosystem for supply chain attacks. PyPI attacks have also escalated significantly in 2025-2026.
Integration
- GitHub App — installs at org level, comments on PRs when new/changed dependencies introduce risk
- Supported ecosystems — npm, pnpm, yarn, PyPI, Go, Maven, Cargo, and others
- Pricing — free Team plan for public open source projects
Recommended Actions
- Install Socket GitHub App on DiamondLightSource org
- Enable for smartem-frontend, smartem-decisions, smartem-devtools, sci-react-ui, fandanGO-cryoem-dls
- Monitor for false positive rate over a few weeks, tune if needed
- Separately: add a lock file with hashes to fandanGO-cryoem-dls (currently bare
requirements.txt)