New top story on Sparta News: Show HN: Socket – Secure your JavaScript supply chain Excited to share the project I've been working on for the past 7 months! We've seen nearly weekly attacks against the open source software supply chain. I saw the seeds of this trend start in the mid 2015s as an open source maintainer and I've watched it only get worse over the years. I finally decided to try to solve this problem. Socket is taking an entirely new approach to one of the hardest problems in security in a stagnant part of the industry that has historically been obsessed with just reporting on known vulnerabilities. Unlike other scanning tools, Socket actually analyzes the package code to characterize the package's behavior. This way, Socket can detect when packages use security-relevant platform capabilities, such as the network, filesystem, or shell. You can search for any npm package and see issues that've we've flagged for each package. We look for 70 issues (full list here: https://ift.tt/lACdyNW ) and we put those into a Package Health score. See these examples: https://ift.tt/dRKNQki https://ift.tt/2QMoaks Socket looks for indicators present in all of the recent npm supply chain attacks. We're proactively auditing every package on npm to flag these issues. Separately, we have a GitHub app that you can install. It detects typosquat attacks and leaves a comment on your pull request to let you know you might have installed the wrong package. We're currently working to enable it to leave comments for more of the package issues that we can detect, but we want to get the UX really good on that first, so we've released it and labeled it "beta". Happy to answer questions.
0 Comments