A Buildkite plugin that scans your project's dependencies for supply chain risks using Socket. It wraps the Socket CLI socket scan create --report, which creates a scan, waits for the report, and fails the build if the scan violates your organization's security or license policy.
Add the following to your pipeline.yml:
steps:
- label: ":socket: Socket scan"
plugins:
- socket#v1.0.0: ~The plugin needs a Socket API token. The simplest approach is to expose it as the SOCKET_SECURITY_API_KEY environment variable (for example, via Cluster secrets or agent environment), which the Socket CLI reads natively:
steps:
- label: ":socket: Socket scan"
secrets:
- SOCKET_SECURITY_API_KEY
plugins:
- socket#v1.0.0: ~If your token lives in a differently named variable, point api-token-env at it:
steps:
- label: ":socket: Socket scan"
plugins:
- socket#v1.0.0:
api-token-env: MY_SOCKET_TOKEN
directory: ./app
auto-manifest: trueName of the environment variable that holds your Socket API token. Defaults to SOCKET_SECURITY_API_KEY. The plugin reads that variable and exports it as SOCKET_SECURITY_API_KEY for the CLI.
Directory to scan. Defaults to ..
Wait for the report and fail the build if the scan violates your security or license policy. Defaults to true. Set to false to create a scan without gating the build.
Auto-generate manifest files for ecosystems that require it (for example, Gradle or sbt). Defaults to false.
Socket organization slug to scan under. Defaults to $SOCKET_CLI_ORG_SLUG. In
CI the plugin always runs the CLI with --no-interactive, so if your API token
is associated with more than one organization you must set this (or
$SOCKET_CLI_ORG_SLUG) β otherwise the CLI cannot resolve the org and the scan
fails instead of prompting.
steps:
- label: ":socket: Socket scan"
secrets:
- SOCKET_SECURITY_API_KEY
plugins:
- socket#v1.0.0:
org: my-org-slugRepository name to associate the scan with. Defaults to the repository name
derived from $BUILDKITE_REPO (for example, cli from
https://github.com/buildkite/cli.git), falling back to $BUILDKITE_PIPELINE_SLUG.
Branch name to associate the scan with. Defaults to $BUILDKITE_BRANCH.
Version of the socket npm package to install when the CLI is not already present. Defaults to latest.
Install the Socket CLI via npm install -g if it is not already on the agent's PATH. Defaults to true. Set to false if you pre-install the CLI on your agents.
Additional arguments passed through to socket scan create.
steps:
- label: ":socket: Socket scan"
plugins:
- socket#v1.0.0:
args:
- --jsonnodeandnpmavailable on the agent (used to install the Socket CLI wheninstallis enabled).- A Socket API token. See Create Socket API Key for CI/CD.
Run the tests with the Buildkite plugin tester:
docker compose run --rm testsLint the plugin:
docker compose run --rm lintMIT (see LICENSE).