socket

Socket CLI

CLI for Socket.dev security analysis

Usage

npm install -g socket
socket --help

Commands

• socket npm [args...] and socket npx [args...] - Wraps npm/npx with Socket security scanning

• socket fix - Fix CVEs in dependencies

• socket optimize - Optimize dependencies with @socketregistry overrides

• socket cdxgen [command] - Run cdxgen for SBOM generation

• socket patch <command> - Apply, manage, and rollback Socket security patches for vulnerable dependencies

Patch subcommands

Command	Description
socket patch scan	Scan installed packages for available security patches
socket patch get <uuid> --org <slug>	Download a patch by UUID and store it locally
socket patch apply	Apply downloaded patches to node_modules
socket patch rollback [purl|uuid]	Rollback patches and restore original files
socket patch list [--json]	List all patches in the local manifest
socket patch remove <purl|uuid>	Remove a patch from the manifest (rolls back by default)
socket patch setup [--yes]	Add socket patch apply to postinstall scripts
socket patch repair	Download missing blobs and clean up unused blobs

Quick start:

# Scan for available patches, download, and apply.
socket patch scan
socket patch apply

# Or download a specific patch by UUID.
socket patch get <uuid> --org <org-slug>
socket patch apply

# Add to postinstall so patches reapply on npm install.
socket patch setup --yes

Free patches work without authentication. For paid patches, set SOCKET_CLI_API_TOKEN and SOCKET_CLI_ORG_SLUG.

Aliases

All aliases support the flags and arguments of the commands they alias.

• socket ci - Alias for socket scan create --report (creates report and exits with error if unhealthy)

Flags

Output flags

• --json - Output as JSON
• --markdown - Output as Markdown

Other flags

• --dry-run - Run without uploading
• --debug - Show debug output
• --help - Show help
• --max-old-space-size - Set Node.js memory limit
• --max-semi-space-size - Set Node.js heap size
• --version - Show version

Configuration files

Socket CLI reads socket.yml configuration files. Supports version 2 format with projectIgnorePaths for excluding files from reports.

Environment variables

• SOCKET_CLI_API_TOKEN - Socket API token
• SOCKET_CLI_CONFIG - JSON configuration object
• SOCKET_CLI_GITHUB_API_URL - GitHub API base URL
• SOCKET_CLI_GIT_USER_EMAIL - Git user email (default: github-actions[bot]@users.noreply.github.com)
• SOCKET_CLI_GIT_USER_NAME - Git user name (default: github-actions[bot])
• SOCKET_CLI_GITHUB_TOKEN - GitHub token with repo access (alias: GITHUB_TOKEN)
• SOCKET_CLI_NO_API_TOKEN - Disable default API token
• SOCKET_CLI_NPM_PATH - Path to npm directory
• SOCKET_CLI_ORG_SLUG - Socket organization slug
• SOCKET_CLI_ACCEPT_RISKS - Accept npm/npx risks
• SOCKET_CLI_VIEW_ALL_RISKS - Show all npm/npx risks

Contributing

Run locally:

npm install
npm run build
npm exec socket

Development environment variables

• SOCKET_CLI_API_BASE_URL - API base URL (default: https://api.socket.dev/v0/)
• SOCKET_CLI_API_PROXY - Proxy for API requests (aliases: HTTPS_PROXY, https_proxy, HTTP_PROXY, http_proxy)
• SOCKET_CLI_API_TIMEOUT - API request timeout in milliseconds
• SOCKET_CLI_DEBUG - Enable debug logging
• DEBUG - Enable debug package logging

See also

• Socket API Reference
• Socket GitHub App
• @socketsecurity/sdk