add socket tier 1 reachability analysis#1476
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5570205cf8
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ |
There was a problem hiding this comment.
In this workflow the job exits with the status from socket scan create --reach, but the Socket CLI docs for scan create say the server responds with a scan URL that may not be done yet; the documented --report option is what “polls for completion” and returns a policy/result exit code. As written, the scheduled Action can go green after only submitting the scan, even if the asynchronous CVE/SBOM processing or policy report later fails, which undermines the red/green status described at the top of this new workflow.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a scheduled GitHub Actions workflow to run Socket’s reachability scan for js-stellar-sdk, so dependency vulnerabilities can be analyzed with Tier 1 reachability when possible.
Changes:
- Introduces a new scheduled + manual-dispatch workflow to run
socket scan create --reach. - Captures scan output to detect Tier 2 reachability fallbacks and emits a GitHub Actions warning when detected.
- Pins
actions/checkoutandactions/setup-nodeto specific SHAs for the workflow run.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,79 @@ | |||
| # Socket reachability scan for js-stellar-sdk. | |||
| # For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability | |||
| # Node project that uses yarn (has yarn.lock). | |||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "20.20.2" | ||
| - name: Enable Corepack (yarn/pnpm per repo packageManager) | ||
| run: corepack enable |
| run: corepack enable | ||
|
|
||
| - name: Install Socket CLI | ||
| run: npm install -g socket |
| --reach-continue-on-missing-lock-files \ | ||
| . 2>&1 | tee /tmp/scan.log | ||
| rc=${PIPESTATUS[0]} | ||
| if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed" /tmp/scan.log; then |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ad7aeb49f7
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ |
There was a problem hiding this comment.
Because this scan create invocation does not pass --repo or --branch, and I found no socket.json/socket.yml in the repo to provide defaults, the Node Socket CLI falls back to socket-default-repository/socket-default-branch. On the scheduled workflow this files the js-stellar-sdk reachability result under the shared default project, where it can overwrite or be overwritten by other repos using the same org token, so the dashboard/alerts page will not reliably represent this repository.
Useful? React with 👍 / 👎.
More info: https://stellarorg.atlassian.net/wiki/spaces/SCRT/pages/5689311233/Socket+Tier+1+Reachability+Analysis