Skip to content

SocketDev/action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

Socket Security (GitHub Action)

A GitHub Action for running Socket.dev

Tip

A GitHub App is also available for a fully automated SCA workflow.

Usage

This action can run in multiple modes:

Why We Recommend Pinning

Socket is a security control, so the action that installs it should be pinned, too. We recommend pinning to an immutable commit SHA for the strongest supply-chain protection. If your organization prefers easier readability, pin to an immutable version tag instead. Either way, Dependabot can keep the reference current while preserving a human review gate.

Socket Firewall: Free

Downloads and installs Socket Firewall: Free edition in your GitHub Action job, making it available to use in subsequent steps.

Most secure: pin to a commit SHA

on: push

jobs:
  safe-install:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1
        with:
          mode: firewall-free

      # javascript / typescript
      - run: sfw npm install # or yarn, pnpm

      # rust
      - run: sfw cargo fetch

      # python
      - run: sfw pip install -r requirements.txt

Slightly less secure: pin to an immutable version tag

on: push

jobs:
  safe-install:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: SocketDev/[email protected]
        with:
          mode: firewall-free

      # javascript / typescript
      - run: sfw npm install # or yarn, pnpm

      # rust
      - run: sfw cargo fetch

      # python
      - run: sfw pip install -r requirements.txt

Dependabot config

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      semver-major-days: 14
      semver-minor-days: 7
      semver-patch-days: 3

Add a cooldown period if you want an extra buffer before newly published action releases are proposed. That gives the ecosystem a little time to surface regressions before Dependabot opens an update PR in your repo.

Inputs

Input Description Required Default
firewall-version Specify the firewall version number No latest
job-summary Create a job summary (all, errors, or none) No all
use-cache Cache the Socket binaries (force download if false) No true
github-token GitHub API Token used for downloading binaries No ${{ github.token}}

Outputs

Output Description
firewall-path-report Path to the generated firewall report JSON
firewall-path-binary Path to the installed binary

Socket Firewall: Enterprise

Downloads and installs Socket Firewall: Enterprise edition in your GitHub Action job, making it available to use in subsequent steps as a wrapper.

Most secure: pin to a commit SHA

on: push

jobs:
  safe-install:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: SocketDev/action@2d3f25590c6ed6ba11a9a14c064d962a3a04698f # v1.3.1
        with:
          mode: firewall-enterprise
          socket-token: ${{ secrets.SOCKET_API_KEY }}

      # javascript / typescript
      - run: sfw npm install # or yarn, pnpm

      # rust
      - run: sfw cargo fetch

      # python
      - run: sfw pip install -r requirements.txt

Slightly less secure: pin to an immutable version tag

on: push

jobs:
  safe-install:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - uses: SocketDev/[email protected]
        with:
          mode: firewall-enterprise
          socket-token: ${{ secrets.SOCKET_API_KEY }}

      # javascript / typescript
      - run: sfw npm install # or yarn, pnpm

      # rust
      - run: sfw cargo fetch

      # python
      - run: sfw pip install -r requirements.txt

Dependabot config

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    cooldown:
      semver-major-days: 14
      semver-minor-days: 7
      semver-patch-days: 3

Add a cooldown period if you want an extra buffer before newly published action releases are proposed. That gives the ecosystem a little time to surface regressions before Dependabot opens an update PR in your repo.

Inputs

Input Description Required Default
firewall-version Specify the firewall version number No latest
job-summary Create a job summary (all, errors, or none) No all
use-cache Cache the Socket binaries (force download if false) No true
github-token GitHub API Token used for downloading binaries No ${{ github.token}}
socket-token Socket API Token YES -

Outputs

Output Description
firewall-path-report Path to the generated firewall report JSON
firewall-path-binary Path to the installed binary

About

GitHub Action to run Socket in CLI or Firewall mode

socket.dev

Topics

security firewall dependency-management

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 16

v1.3.2 Latest
Mar 27, 2026
+ 15 releases

Contributors

Languages