Releases: SocketDev/socket-registry-firewall
v1.1.151
Add fail_open_unscanned setting for independent control of unscanned packages
New Features:
- New fail_open_unscanned setting (default: true) controls behavior when Socket API returns purlError (package not found or not yet scanned). This is separate from fail_open which handles API connectivity errors.
- New expose_unscanned_header setting (default: false) adds X-Socket-Unscanned response header for unscanned packages.
- purlError detection in both single and batch Socket API responses.
Improvements:
- Decision events now include alert_action, client_action, request_id, trace_id, artifact_purl, event_type, event_category, parser_name, parser_version, and unscanned flag.
- block_reason and warn_reason fields are now populated correctly for all non-alert scenarios (fail_open, fail_closed, API errors, unscanned packages).
- parser_name and parser_version are propagated through all code paths including cached, stale, and error results.
Fixes:
- Telemetry events now use the canonical decision event fields instead of re-deriving artifact_purl and action.
- request_id and trace_id are now included in output logging for all event types.
v1.1.139
Operators can now specify an upstream_token on individual path routes or domain registries. This injects an Authorization: Bearer header on all upstream requests for that route — ideal for authenticated private registries where different routes require different credentials. The token value is read from an environment variable at startup, keeping secrets out of configuration files and logs. Basic auth (user:password) is also auto-detected.
The firewall now captures uber-trace-id and X-Request-Id headers from upstream private registry responses and propagates them as private_registry_request_id across all event outputs — console logs, Splunk HEC, webhooks, and Socket telemetry. The trace ID also appears in native nginx access logs, enabling full request correlation between the firewall and Artifactory/Nexus.
Full Changelog: v1.1.104...v1.1.139
v1.1.136
Full Changelog: v1.1.104...v1.1.136
v1.1.135
Full Changelog: v1.1.104...v1.1.135
v1.1.134
Full Changelog: v1.1.104...v1.1.134
v1.1.131
- Fix URL-escaped scoped package names not being forwarded upstream as URL-encoded
- Fix Maven download checks to include classifier and extension qualifiers
- Fix Tar ball build
v1.1.128
Fixing issue with maven PURL lookup with extra qualifiers
Full Changelog: v1.1.104...v1.1.128
v1.1.126
Full Changelog: v1.1.104...v1.1.126
v1.1.125
Fix Artifactory auto-discovery not generating API path routes for NuGet, RubyGems, Go, and Conda ecosystems. Only direct paths (/artifactory/{repo}) were generated, missing the /artifactory/api/{type}/{repo} paths that Artifactory clients use for package downloads.
v1.1.124
v1.1.124 - Security fixes, webhook events, tracking headers, and observability improvements
Security Fixes:
- Fix NuGet V2 download bypass: Nexus V2 simplified paths (/{id}/{version}) and Artifactory V2 paths (/Download/{id}/{version}) now correctly route through security checks
- Fix Maven extension bypass: switched to deny-by-default routing; only known metadata patterns are excluded from security checks, all other artifacts are scanned
- Fix Cargo download redirect: upstream 302 redirects (crates.io to static.crates.io) are now followed server-side instead of passed through to clients
New Features:
- Webhook event delivery: configurable HTTP POST of package decision events to any endpoint (on_block, on_warn, on_monitor filters)
- Request/response tracking headers: X-Socket-Request-ID, X-Socket-Decision, X-Socket-Block-Reason, X-Socket-Warn-Reason, X-Socket-Monitor-Reason on all responses
- Private registry request ID tracing: captures uber-trace-id / X-Request-Id from upstream responses for end-to-end correlation with Artifactory/Nexus logs
- Configurable log level: socket.log_level setting (error, warn, info, debug) controls console output; telemetry/Splunk/webhook events always fire regardless
- username/password auth for auto-discovery: alternative to api_key for Artifactory and Nexus service accounts
Observability:
- Unified event field parity: Splunk HEC, Socket telemetry, webhook, and SOCKET_DECISION console logs now share 21 core fields via a single event builder
- Deferred Splunk/telemetry events: allowed-package events are enriched with upstream_status before delivery
- upstream_status propagated through metadata filtering pipeline
- Health check log suppression: /health requests no longer produce access log entries
- Auto-discovery daemon only logs and reloads on changed routes
- metadata_cache_ttl correctly applied to metadata batch lookups (was using shorter cache_ttl)
API:
- Migrated PURL checks to org-scoped /v0/orgs/:org_slug/purl endpoint for better tracking
Documentation:
- Added Artifactory and Nexus service account permissions guides
- Documented webhook configuration, tracking headers, log levels, and unified event fields
- Fixed inaccurate defaults and removed deprecated features from docs