{"id":"socket-api","name":"Socket Security API","homepage":"https://socket.dev","repo_url":"https://github.com/SocketDev","category":"security","subcategories":["supply-chain-security","dependency-scanning","package-security","malware-detection"],"tags":["socket","supply-chain","npm","pypi","dependency-security","malware","typosquatting","sbom","rest-api"],"what_it_does":"Socket Security provides deep package analysis for open-source dependencies across npm, PyPI, Maven, Conda, and other ecosystems, detecting supply chain attacks, malware, typosquatting, protestware, and risky code patterns before they enter your codebase. Unlike CVE-only scanners, Socket analyzes the actual package code for suspicious behaviors like unexpected network calls, shell execution, filesystem access, and obfuscated code — catching zero-day supply chain threats that CVE databases miss. The REST API enables programmatic package scoring, CI/CD integration, and alert management.","use_cases":["Pre-install package vetting: score an npm/PyPI package before adding it to a project","CI/CD gate: block dependency updates that introduce new supply chain risks","SBOM enrichment: augment software bills of materials with Socket risk scores","Security alert triage: query active supply chain alerts across all monitored repositories","Package comparison: compare two package versions to identify newly introduced risky behaviors","Dependency monitoring: watch packages for reputation changes after initial installation"],"not_for":["Runtime application security monitoring (DAST/IAST)","Network security or endpoint protection","CVE-only vulnerability management (use Snyk or Dependabot for pure CVE tracking)","Go modules, Rust crates, or Ruby gems (limited ecosystem support beyond npm/PyPI/Maven)"],"best_when":"You want to catch supply chain attacks and malicious packages proactively — especially zero-day threats where no CVE exists yet — before they enter your dependency tree.","avoid_when":"You only care about known CVEs and are fine with traditional vulnerability databases; Socket's behavioral analysis adds value primarily for supply chain threat detection beyond CVE matching.","alternatives":[{"id":"snyk-api","reason":"Better for CVE-based vulnerability management and broader DevSecOps integration"},{"id":"semgrep-api","reason":"Better for first-party code SAST rather than third-party package analysis"},{"id":"github-rest-api","reason":"Dependabot provides native CVE-based dependency alerts within GitHub for free"}],"af_score":75.7,"security_score":null,"reliability_score":null,"package_type":"mcp_server","discovery_source":["github"],"priority":"low","status":"evaluated","version_evaluated":"current","last_evaluated":"2026-03-01T09:50:06.234351+00:00","performance":{"latency_p50_ms":300,"latency_p99_ms":1200,"uptime_sla_percent":99.5,"rate_limits":"Rate limits apply; specific thresholds not publicly documented — test for your plan tier","data_source":"llm_estimated","measured_on":null}}