socket-scan
Research Scan
Run a dependency scan using the Socket CLI. For authenticated users, scans run in temporary read-only mode (--tmp) by default — results are returned locally without creating a persistent entry in the Socket dashboard.
For unauthenticated users (no token or demo token only), the skill prompts the user to log in or create a free account. If the user skips login, the scan falls back to cdxgen — but alert accuracy will be greatly reduced and SBOM accuracy will be poor.
When the user is authenticated with a full account (free or enterprise) and explicitly wants results saved, the scan can be promoted to a persistent dashboard scan.
When to Use
- The user wants to scan their project's dependencies for vulnerabilities or supply-chain risks
- The user wants to create a scan visible in the Socket dashboard
- The user wants reachability analysis to determine if vulnerabilities are actually exploitable in their code
- The user is adding or updating dependencies and wants to verify security posture
- The user asks for a full security audit of their dependency tree
- The user wants to check for malware in their dependencies
- The user needs to construct an SBOM from scan data for compliance
- The user wants to audit licenses across all dependencies
- The user needs to check for GPL, SSPL, or other restrictive licenses in a commercial project
More from socketdev/skills
socket-fix
Fix dependency security issues — either scan and fix everything (requires
12socket-setup
Set up Socket — prompt for API key, install the CLI, authenticate,
11socket-inspect
Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches.
10