Socket Supply-Chain Risk Scanner
A live, self-contained web app that turns a project's
package.json or package-lock.json into a
CISO-ready supply-chain risk report. Paste or drop a manifest and
it scans every dependency against Socket's package intelligence —
surfacing malware, typosquatting, risky install scripts, and known
CVEs the way a traditional CVE scanner never would. No signup
required: leave the key field blank to try it instantly.
🎯 Why I built it
Coming from JFrog — where I worked next to Xray and software-composition analysis — I wanted a hands-on artifact that shows I can speak the supply-chain security language end to end: the developer's manifest, the API that scores it, and the executive narrative a security buyer actually cares about. This is that artifact, built as a sales-engineering proof of concept I can demo live.
⚙️ How it works
The front end is hand-written HTML, CSS, and vanilla JavaScript —
no framework. It parses npm manifests (including lockfile v1, v2,
and v3), builds Package URLs for each dependency, and submits them
in a single batch to Socket's
/v0/orgs/{org}/purl endpoint, streaming the results
back as newline-delimited JSON. Because Socket's API doesn't send
CORS headers, the browser can't call it directly — so requests are
routed through a small AWS Lambda proxy I wrote that
only forwards to api.socket.dev and rejects
anything else.
📊 The report
Findings are normalized into Critical / High / Medium / Low buckets, sorted by severity, and rendered as an executive summary, a stats row, and an expandable per-package table with Socket's health scores. There's even a "what Socket would have done" panel that frames the findings as a CI/CD firewall story — the same way I'd position it in a real evaluation.
🔒 Security notes
Visitors can try it with no signup: a demo key lives only inside the Lambda as a server-side environment variable, so it's never exposed to the browser. If a visitor supplies their own key instead, it stays in their browser and is sent only to Socket. The Lambda proxy is host-allowlisted to Socket, so it can't be abused as an open forwarder. The full source lives on GitHub.