[Go to site: main page, start]
Documentation
  1. Socket CLI

Socket CLI FAQ

Does this run locally on my computer?

The CLI itself runs locally, but certain commands need to communicate with our public API, for example by uploading your dependency manifest files to Socket for analysis or asking about the repositories you've defined.

  • Socket is designed to work without the need to analyze, upload, or share your source code.
  • The only data we collect from your repository are manifest and associated lock files. For example, for npm we'd collect package.json / package-lock.json, for python requirements.txt / requirements.lock (or Pipfile.lock / poetry.lock / uv.lock), or Ruby Gemfile/Gemfile.lock. This is what we call the dependency snapshot. We do this for every ecosystem we support.
  • We use the dependency snapshot to determine the list of packages used by your repository, perform our open source risk analysis, and produce a report.

Can I look at reports locally on the computer?

Yes! If you have a Scan ID you can use socket scan view or socket scan report to view details on them. You can export them raw with the --json flag or get nice shareable output with the --markdown flag.

Why does my scan not show up in the alerts dashboard?

The alerts dashboard reflects the most recent scan on the repository's "default branch" that was designated as the alerts page. When you create a scan, --set-as-alerts-page defaults to true, but it only takes effect for scans on the branch Socket has configured as the default branch. So make sure you're scanning the default branch (set it on the first run with --default-branch) and that you haven't disabled it with --no-set-as-alerts-page (or --tmp).

It should still show up in the "Full Scans" page, regardless.

Why is there a Scan URL without results?

When using socket scan create the files are uploaded and a Scan ID is created and returned to you right away.

The actual report is generated lazily when you go to view it.

When you specify the --report flag, the CLI does this fetch for you and will trigger the generation, then reads the results to report the outcome to you.