feat: add Socket tier 1 reachability analysis support#125
Merged
Conversation
- Add --reach flag and related CLI arguments for reachability analysis - Add ReachabilityAnalyzer class to run @coana-tech/cli - Add dependency checks for java, npm, uv, npx when --reach is enabled - Add --only-facts-file mode to submit only .socket.facts.json - Auto-install @coana-tech/cli if not present - Stream reachability CLI output to stderr for user visibility - Filter .socket.facts.json from manifest uploads but include in full scans - Set tmp=False in FullScanParams to fix API 400 errors
dacoburn
requested review from
amoeller and
jhiesey
and removed request for
a team
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
🚀 Preview package published! Install with: pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.18.dev1Docker image: |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
…irement - Add comprehensive reachability analysis parameters section to README - Document all --reach-* CLI flags with descriptions and defaults - List required dependencies (npm, npx, uv) excluding java - Remove java from required dependencies check in socketcli.py - Update usage synopsis to include reachability flags
ahmadnassri
approved these changes
Nov 7, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add Socket tier 1 reachability analysis support to the Python CLI, enabling users to analyze which vulnerable functions in their dependencies are actually reachable from their code.
Why?
Reachability analysis helps teams prioritize security vulnerabilities by identifying which ones are actually exploitable in their codebase. This reduces alert fatigue by focusing on vulnerabilities in code paths that are actually used, rather than all theoretical vulnerabilities in dependencies. The feature integrates Coana's reachability engine via the
--reachflag, automatically checking dependencies, installing required tools, and submitting analysis results to Socket for enhanced vulnerability assessment.Key benefits:
--only-facts-filemodePublic Changelog
Added reachability analysis support with new
--reachflag. Enable reachability analysis to identify which vulnerable functions in your dependencies are actually called by your code. Requires uv, npm, and npx. Use--only-facts-fileto submit only reachability results to an existing scan.