From 3fbbcf7b9483ec6b91c6a607edc2c39a0d1a9420 Mon Sep 17 00:00:00 2001 From: Kanwalpreet Dhindsa Date: Fri, 12 Jun 2026 00:54:01 -0700 Subject: [PATCH 1/3] add socket tier 1 reachability analysis --- .github/workflows/socket-scan.yml | 79 +++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/socket-scan.yml diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml new file mode 100644 index 000000000..80209ac26 --- /dev/null +++ b/.github/workflows/socket-scan.yml @@ -0,0 +1,79 @@ +# Socket reachability scan for laboratory. +# For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability +# Node project that uses pnpm (has pnpm-lock.yaml). +# +# Schedule: Sat 16:24 UTC weekly. Use workflow_dispatch to run on demand. +# +# ============================================================================ +# Socket scan — reading the job status. (The scan step below produces this: an +# exit code + an optional ::warning:: annotation, which GitHub Actions renders +# as the job's state.) +# ============================================================================ +# GREEN (exit 0, no warning): scan completed and every analyzed vulnerability +# got full Tier 1 reachability (precise, your-code-aware). Nothing to do. +# YELLOW (exit 0 + "::warning:: Socket scan completed with Tier 2 fallbacks"): +# scan completed, but Tier 1 could NOT be computed for some/all +# vulnerabilities, which fell back to Tier 2 (precomputed) reachability. +# You still get CVE detection + Tier 2 results, just reduced precision +# for the affected CVEs. The job is NOT failing. +# RED (non-zero exit): scan did not complete. Do not assume any part +# succeeded — could be reachability hard-failing, a missing language +# toolchain, the runner out of memory, a network/API error, or even the +# underlying CVE/SBOM detection failing. Check the logs and fix before +# relying on results. +# ============================================================================ + +name: Socket reachability scan + +on: + schedule: + - cron: '24 16 * * 6' + workflow_dispatch: + +permissions: + contents: read + +env: + # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to + # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove + # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true + +jobs: + socket-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + node-version: "22.22.3" + - name: Enable Corepack (yarn/pnpm per repo packageManager) + run: corepack enable + + - name: Install Socket CLI + run: npm install -g socket + + - name: Run Socket reachability scan + env: + SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} + run: | + # Stream the scan output through tee so the run log captures it AND + # we can grep it for Tier-2-fallback markers; capture the scan's + # exit code via ${PIPESTATUS[0]} (tee always exits 0). If the scan + # succeeded but logged a Tier 2 fallback, emit a ::warning:: + # annotation that GitHub Actions renders as a yellow run-level + # warning without failing the job. + set +e + socket scan create --reach \ + --org=stellar \ + --no-interactive \ + --reach-continue-on-no-source-files \ + --reach-continue-on-analysis-errors \ + --reach-continue-on-install-errors \ + --reach-continue-on-missing-lock-files \ + . 2>&1 | tee /tmp/scan.log + rc=${PIPESTATUS[0]} + if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed" /tmp/scan.log; then + echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1" + fi + exit $rc From db5e380ac62b6d7082c3e7e57a9975e7b0350bda Mon Sep 17 00:00:00 2001 From: Kanwalpreet Dhindsa Date: Mon, 29 Jun 2026 02:41:57 -0700 Subject: [PATCH 2/3] add socket tier 1 reachability analysis --- .github/workflows/socket-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml index 80209ac26..78b2038ee 100644 --- a/.github/workflows/socket-scan.yml +++ b/.github/workflows/socket-scan.yml @@ -46,7 +46,7 @@ jobs: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: "22.22.3" + node-version: "24.18.0" - name: Enable Corepack (yarn/pnpm per repo packageManager) run: corepack enable @@ -73,7 +73,7 @@ jobs: --reach-continue-on-missing-lock-files \ . 2>&1 | tee /tmp/scan.log rc=${PIPESTATUS[0]} - if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed" /tmp/scan.log; then + if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1" fi exit $rc From d46465838c5c9fc38992fe7a20248531a7ce6aca Mon Sep 17 00:00:00 2001 From: Kanwalpreet Dhindsa Date: Tue, 30 Jun 2026 12:38:30 -0700 Subject: [PATCH 3/3] add socket tier 1 reachability analysis --- .github/workflows/socket-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/socket-scan.yml b/.github/workflows/socket-scan.yml index 78b2038ee..3c54d1033 100644 --- a/.github/workflows/socket-scan.yml +++ b/.github/workflows/socket-scan.yml @@ -51,7 +51,7 @@ jobs: run: corepack enable - name: Install Socket CLI - run: npm install -g socket + run: npm install -g socket@1.1.129 - name: Run Socket reachability scan env: