[APPSEC-1645] [Non-Prod] Add Socket Security Tier 1 reachability scan (#105)

ping-huang1 · claude · web-flow · commit a15f5d21c499 · 2026-04-09T10:21:22.000-07:00
* feat: add Socket Security Tier 1 reachability scan workflow

Adds a GitHub Actions workflow for Socket Security scanning with Tier 1
reachability analysis to identify which dependency vulnerabilities are
actually reachable in the codebase.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* fix: remove redundant SOCKET_SECURITY_API_KEY env var

Only SOCKET_SECURITY_API_TOKEN is needed; also corrected the secret
reference to use SOCKET_SECURITY_API_TOKEN.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* fix: source Socket API token from SOCKET_SECURITY_API_KEY secret

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/socket_reachability.yml b/.github/workflows/socket_reachability.yml
@@ -0,0 +1,80 @@
+# Socket Security Scan with Tier 1 Reachability Analysis
+#
+# This workflow scans dependencies and performs reachability analysis
+# to identify which vulnerabilities are actually reachable in the code.
+#
+# Required: SOCKET_SECURITY_API_KEY secret with enterprise plan
+# API token scopes needed: socket-basics, uploaded-artifacts, full-scans, repo
+
+name: Socket Security Scan
+
+on:
+  schedule:
+    - cron: "0 2 * * *" # Everyday at 2 AM UTC
+  workflow_dispatch:
+    inputs:
+      enable_reachability:
+        description: "Enable Tier 1 reachability analysis"
+        required: false
+        default: "true"
+        type: choice
+        options:
+          - "true"
+          - "false"
+
+concurrency:
+  group: socket-security-scan
+  cancel-in-progress: true
+
+jobs:
+  socket-security:
+    name: Socket Security Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install uv (Python package manager)
+        uses: astral-sh/setup-uv@v4
+
+      - name: Install Socket CLI
+        run: uv pip install socketsecurity --upgrade --system
+
+      - name: Run Socket Security Scan
+        env:
+          SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_KEY }}
+          PYTHONUNBUFFERED: "1"
+          ENABLE_REACH: ${{ github.event.inputs.enable_reachability }}
+        run: |
+          REPO_NAME="${GITHUB_REPOSITORY#*/}"
+
+          # Build reachability flags if enabled
+          REACH_FLAGS=""
+          if [[ "${ENABLE_REACH}" != "false" ]]; then
+            REACH_FLAGS="--reach --reach-memory-limit 16384 --reach-timeout 3600"
+            echo "Reachability analysis enabled"
+          fi
+
+          echo "Scanning repository: $REPO_NAME"
+
+          socketcli \
+            --target-path "$GITHUB_WORKSPACE" \
+            --repo "$REPO_NAME" \
+            --enable-debug \
+            $REACH_FLAGS
