Security shouldn’t require juggling half a dozen tools.

Modern software teams often end up managing separate scanners for static analysis, secrets detection, container vulnerabilities, and dependency issues. Each tool has its own setup, its own configuration files, and its own reports — all slightly different and hard to reconcile.

That complexity slows everyone down. Developers get buried in noise. Security teams lose visibility. And keeping everything in sync becomes a full-time job.

Socket Basics brings all the core security checks together — static analysis, secrets detection, container scanning, and CVE vulnerability scanning — into one simple platform. It gives you a single view of your application’s risk across every important layer, without having to stitch together multiple systems.

What Socket Basics Does#

Static Analysis (SAST)

Static analysis finds insecure code patterns before they cause real problems — things like command injection, unsafe deserialization, or misuse of dangerous APIs.

Socket Basics supports 14 programming languages out of the box. It ships with proven rulesets for common vulnerabilities and lets you add community or custom rules as needed. That means you get meaningful results on day one, with room to adapt to your own codebase over time.

Secrets Detection

Secrets — API keys, tokens, passwords — leak into source code constantly. One stray commit can expose your infrastructure.

Socket Basics automatically scans commits, branches, and pull requests for sensitive data before it’s merged. It catches both verified and likely secrets, giving developers fast feedback and security teams the visibility to respond quickly.

Container Security

Containers make deployments portable, but they also inherit vulnerabilities from base images and Dockerfile misconfigurations.

Socket Basics scans your images and Dockerfiles for known CVEs and risky configurations before they ship. It checks for outdated base images, unnecessary privileges, and other issues that often slip through CI/CD pipelines.

CVE Scanning for Any Language

Socket’s next-gen SCA dependency analysis already covers 10+ ecosystems including JavaScript, TypeScript, Python, Go, Java, Ruby, .NET, Scala, Kotlin, and Rust.

With Socket Basics, CVE vuln scanning now extends to the rest of the languages in your stack — PHP, C/C++, and more. You get reliable CVE detection for all your dependencies, no matter where they come from.

Why “Basics”?#

We built Socket to reinvent software supply chain security — starting with next-generation SCA, reachability analysis, and malicious package detection.

Socket Basics complements that by unifying the foundational scanners that every team needs. It’s powered by the best open source security tools in each category — pre-integrated, tuned, and managed by Socket so you don’t have to.

Think of it as your security essentials kit: the fastest way to get complete baseline coverage for code, containers, and secrets without spending weeks on setup.

Later, we’ll go beyond “Basics” with new versions that push these scanners further using Socket’s own proprietary analysis techniques. But today, you get the strongest open source tools available, all running inside the Socket platform.

Configure Once, Protect Everywhere#

Security configuration should be centralized, not scattered across YAML files.

With Socket Basics, you define your scanning policy once in the Socket Dashboard — what to scan, what to ignore, what rules to enforce — and it automatically applies across all your repositories.

Any policy changes update everywhere instantly. No pull requests, no merge conflicts, no manual edits.

If you prefer local control, you can still override settings via CLI flags, environment variables, or JSON files. It’s flexible, but by default, it just works.

Integrations That Reach the Right People#

A finding is only useful if the right person sees it. Socket Basics integrates directly with the tools your team already uses:

• Slack — Real-time alerts to security and development channels
• Jira — Automatic ticket creation for triaging and tracking remediation
• Microsoft Teams — Notifications in your collaboration hub
• Microsoft Sentinel — SIEM integration for enterprise security operations
• Sumo Logic — Log aggregation and analysis
• GitHub — Pull request comments with inline security findings
• Webhooks — Custom integrations with your internal tools

Each integration is designed to deliver the right level of detail for its audience. Developers get actionable feedback in context. Security teams get aggregated metrics and trends. Operations teams get structured data for dashboards and reports.

Extensible by Design#

No two organizations have identical security needs. Socket Basics is built on a plugin-style connector system that makes it easy to extend or customize.

Each scanner in Socket Basics implements a standard interface for execution and result processing. This means you can plug in your own specialized security tools — internal scanners, cloud services, or proprietary analyzers — and Socket will automatically orchestrate them, normalize the results, and merge them into unified reports.

Built to Fit Your Workflow#

Security tools that slow down development get disabled or worked around. Socket Basics was designed for developers first — fast setup, consistent results, and no friction.

Easy GitHub Actions Integration

Getting started takes minutes. Add one line to your workflow:

- uses: SocketDev/socket-basics@v1.0.2
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }}

That’s it. Scans start automatically, guided by your dashboard configuration. No complex YAML, no tuning.

Runs Anywhere

Socket Basics runs wherever you need it:

• Run in pre-commit hooks for catching issues before they’re committed
• Run in Docker containers for CI/CD systems and air-gapped environments
• Run in local CLI for developer machines and custom workflows

Every deployment uses the same scanning engine and configuration, so the results stay consistent everywhere.

Unified Results, Clear Data#

Every finding from every scanner — static, secrets, container, CVE — is normalized into a single Socket JSON format with consistent severity levels and metadata. That means simpler automation, cleaner reporting, and less confusion across teams.

Built on Proven Tools

Socket Basics orchestrates the most trusted open source security tools — curated, updated, and managed for you. Each tool is selected for its effectiveness, reliability, and community support.

You get the reliability of mature projects, the simplicity of a unified platform, and the speed of automated setup. Socket handles installation, versioning, result normalization, and orchestration so you can focus on fixing issues, not maintaining scanners.

Solving the Real Problems#

We built Socket Basics after seeing the same pain again and again:

• Security teams struggling to maintain coverage across multiple languages
• DevOps engineers wiring together fragile scanner integrations
• Developers flooded with noisy, unactionable alerts
• Platform teams wasting time rebuilding the same setup for every repo

Socket Basics replaces that sprawl with one consistent system. You get unified configuration, unified results, and unified visibility — without losing flexibility or control.

Getting Started#

Socket Basics is available now.

If you already use Socket Enterprise, enable it from the Socket Dashboard and start scanning within minutes.

If you’re new to Socket, learn more or get in touch to see how Socket Basics can simplify your security stack.

Resources

• Socket Basics on GitHub
• GitHub Actions Quick Start
• Complete Documentation
• Socket Dashboard