Skip to content

feat: add checkMalware API for normalized malware detection#538

Merged
John-David Dalton (jdalton) merged 4 commits intomainfrom
feat/check-malware-api
Apr 2, 2026
Merged

feat: add checkMalware API for normalized malware detection#538
John-David Dalton (jdalton) merged 4 commits intomainfrom
feat/check-malware-api

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton John-David Dalton (jdalton) commented Apr 2, 2026
edited
Loading

Summary

  • Add checkMalware(components) method to SocketSdk with dual-path architecture:
    • Public token → firewall API (firewall-api.socket.dev/purl/{purl}) — returns full artifact data (score, namespace, alert props/categories/fix info) without reshaping
    • Org token → batch PURL API (api.socket.dev/v0/purl) — uses org policy, full artifact data
  • Both paths normalize to the same MalwareCheckPackage result shape
  • Alerts filtered by policy — only error and warn actions included
  • New types: MalwareCheckAlert, MalwareCheckPackage, MalwareCheckResult, MalwareCheckScore
  • New constant: SOCKET_FIREWALL_API_URL

Why two paths?

The batch API with public tokens goes through reshapeArtifactForPublicPolicy which strips score, namespace, props, category, and fix from the response. The firewall API returns the same SocketArtifact data but unstripped, giving public token users the same rich data that org token users get.

Normalized result per package

{
  type: string          // ecosystem
  namespace?: string    // e.g. '@types'
  name?: string         // package name
  version?: string
  score?: { overall, license, maintenance, quality, supplyChain, vulnerability }
  alerts: Array<{
    key: string
    type: string        // 'malware', 'criticalCVE', etc.
    severity?: string   // 'critical', 'high', etc.
    category?: string   // 'supplyChainRisk', etc.
    props?: Record      // { note: 'trojan in postinstall' }
    fix?: { type, description }
  }>
}

Test plan

  • Public token (firewall): malware with full detail (props, category, fix, score)
  • Public token (firewall): warn-level alerts included
  • Public token (firewall): clean package — empty alerts, score present
  • Public token (firewall): monitor/ignore alerts filtered out
  • Public token (firewall): scoped package namespace preserved
  • Public token (firewall): multiple packages in parallel
  • Public token (firewall): failed requests gracefully skipped
  • Org token (batch): server error/warn actions with full alert data
  • Org token (batch): missing action defaults to ignore — filtered
  • Org token (batch): API error returns success: false
  • All 494 tests pass, build and type check clean

@jdalton
feat: add checkMalware API for normalized malware detection
bbbd8df 
Add a high-level checkMalware method to SocketSdk that wraps
batchPackageFetch with normalized, policy-aware results. For public
tokens, alert actions are derived from the client-side publicPolicy
map. For org tokens, server-assigned actions are used as-is.

Returns blocked/warned flags per package for easy consumption by
hooks, CI scripts, and IDE extensions.
@jdalton
refactor: simplify checkMalware result — filter by policy, drop actio…
0cbbd32 
…n/blocked/warned

Remove action, blocked, and warned from the result type. Instead,
filter alerts by policy so only actionable alerts (error/warn) are
returned. Consumers check alerts directly rather than interpreting
policy-derived fields.
@jdalton
refactor: use firewall API for public token checkMalware
27fe2bd 
Route public token requests through the firewall API
(firewall-api.socket.dev/purl) which returns full artifact data
including score, namespace, alert props, categories, and fix info.
Org tokens continue using the batch PURL API.

Both paths normalize to the same result shape with richer alert
data (category, props, fix) now available for all token types.
@jdalton
refactor: config-driven normalize — pass policy map instead of boolean
22e5485
@jdalton
Copy link
Copy Markdown
Contributor Author

John-David Dalton (jdalton) commented Apr 2, 2026

Note: PR #537 (reshapeArtifactForPublicPolicy fix) touches overlapping code. Whichever lands first will require a rebase of the other.

@jdalton John-David Dalton (jdalton) mentioned this pull request Apr 2, 2026
Merged
4 tasks
billxinli
Bill Li (billxinli) reviewed Apr 2, 2026
View reviewed changes
@jdalton John-David Dalton (jdalton) merged commit 059bd09 into main Apr 2, 2026
10 checks passed
@jdalton John-David Dalton (jdalton) deleted the feat/check-malware-api branch April 2, 2026 12:42
@jdalton John-David Dalton (jdalton) mentioned this pull request Apr 2, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@billxinli Bill Li (billxinli) billxinli approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton @billxinli