Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
add socket tier 1 reachability analysis #900
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uh oh!
There was an error while loading. Please reload this page.
add socket tier 1 reachability analysis #900
Changes from all commits
ca9d22cac1fc0dbce907cc4059f207cd57c4797e23b1f77702807618File filter
Filter by extension
Conversations
Uh oh!
There was an error while loading. Please reload this page.
Jump to
Uh oh!
There was an error while loading. Please reload this page.
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workflow is documented as covering the Android Gradle project, but the Socket invocation never enables manifest generation. I checked the repo and the Android dependencies are only described by
android/settings.gradle,android/build.gradle, andandroid/app/build.gradle; Socket'sscan create --helpsays--auto-manifestis necessary for Gradle/Kotlin, andsocket ci --autoManifestsimilarly says it is needed to include locally generated manifests like Gradle. Without that flag or a pre-generated SBOM/lockfile, the scheduled run can succeed while omitting the Android dependency graph from the reachability scan.Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When this scheduled/manual workflow runs without a checked-in
socket.jsonoverride (I checked the repo),socket scan createdoes not infer the GitHub repo/branch from Actions; Socket'sscan create --helpdocuments--repoas defaulting tosocket-default-repositoryand--branchtosocket-default-branch. As written, successful scans will be filed under those placeholder names instead offreighter-mobileand the scheduled/dispatch ref, so the repository's Socket alerts/history will not be updated for the code this workflow just analyzed. Pass--repo/--branch(and initialize the default branch if needed) from the GitHub context.Useful? React with 👍 / 👎.