Socket Supply-Chain Risk Scanner Socket Logo

A live, self-contained web app that turns a project's package.json or package-lock.json into a CISO-ready supply-chain risk report. Paste or drop a manifest and it scans every dependency against Socket's package intelligence — surfacing malware, typosquatting, risky install scripts, and known CVEs the way a traditional CVE scanner never would. No signup required: leave the key field blank to try it instantly.

Launch Live Demo →

🎯 Why I built it

Coming from JFrog — where I worked next to Xray and software-composition analysis — I wanted a hands-on artifact that shows I can speak the supply-chain security language end to end: the developer's manifest, the API that scores it, and the executive narrative a security buyer actually cares about. This is that artifact, built as a sales-engineering proof of concept I can demo live.

⚙️ How it works

The front end is hand-written HTML, CSS, and vanilla JavaScript — no framework. It parses npm manifests (including lockfile v1, v2, and v3), builds Package URLs for each dependency, and submits them in a single batch to Socket's /v0/orgs/{org}/purl endpoint, streaming the results back as newline-delimited JSON. Because Socket's API doesn't send CORS headers, the browser can't call it directly — so requests are routed through a small AWS Lambda proxy I wrote that only forwards to api.socket.dev and rejects anything else.

📊 The report

Findings are normalized into Critical / High / Medium / Low buckets, sorted by severity, and rendered as an executive summary, a stats row, and an expandable per-package table with Socket's health scores. There's even a "what Socket would have done" panel that frames the findings as a CI/CD firewall story — the same way I'd position it in a real evaluation.

🔒 Security notes

Visitors can try it with no signup: a demo key lives only inside the Lambda as a server-side environment variable, so it's never exposed to the browser. If a visitor supplies their own key instead, it stays in their browser and is sent only to Socket. The Lambda proxy is host-allowlisted to Socket, so it can't be abused as an open forwarder. The full source lives on GitHub.