feat: add Slack formatter for Socket Facts reachability analysis #144

dacoburn · 2026-01-02T01:33:57Z

Add Slack formatter for Socket Facts reachability analysis with smart prioritization and block limiting. This feature enables the Slack plugin to send formatted notifications about vulnerability reachability analysis, helping teams quickly identify which vulnerabilities are actually exploitable in their code.

Why?

Socket's reachability analysis determines whether vulnerabilities in dependencies are actually reachable from application code. This is critical information that helps teams prioritize remediation efforts - a reachable critical vulnerability requires immediate attention, while an unreachable one can be deprioritized.

This feature brings that intelligence into Slack notifications with:

Smart prioritization: Reachable vulnerabilities are shown first, followed by unknown/error states for critical/high severity issues
Block limiting: Respects Slack's 50 block limit by intelligently filtering and truncating results
Rich formatting: Severity indicators, counts, and organized vulnerability grouping
Actionable insights: Teams can immediately see which vulnerabilities pose real risk

Benefits:

Reduces alert fatigue by focusing on what matters (reachable issues)
Improves response time by surfacing critical reachable vulnerabilities first
Provides better visibility into security posture within existing Slack workflows
Supports data-driven prioritization of security remediation work

Public Changelog

Slack notifications have more robust configuration and filters possible-
Slack notifications can have different alerts or severities go to do different slack web hooks
Added Slack formatter for Socket Facts reachability analysis. Slack notifications now include smart prioritization of vulnerabilities based on reachability status, with reachable issues surfaced first. Includes automatic block limiting to respect Slack's constraints while showing the most critical findings.

- Add new markdown utility for Socket Facts data formatting - Add `socketsecurity/core/helper/socket_facts_loader.py` to load Socket Facts JSON - Add `socketsecurity/plugins/formatters/slack.py` for Slack-specific formatting - Update Slack plugin to support reachability analysis notifications with smart block limiting - Add markdown dependency for enhanced formatting capabilities - Update README documentation - Update socketdev dependency to 3.0.25 - Bump version to 2.2.59

socket-security · 2026-01-02T01:34:30Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability
pypi/pre-commit@4.5.0 ⏵ 4.5.1
pypi/docutils@0.22.3 ⏵ 0.22.4	⁺¹
pypi/coverage@7.13.0 ⏵ 7.13.1	⁺¹
pypi/urllib3@2.6.1 ⏵ 2.6.2	⁺¹
pypi/nodeenv@1.9.1 ⏵ 1.10.0	⁺¹
pypi/soupsieve@2.8 ⏵ 2.8.1
pypi/uv@0.9.17 ⏵ 0.9.21
pypi/markdown@3.10
pypi/ruff@0.14.8 ⏵ 0.14.10
pypi/filelock@3.20.0 ⏵ 3.20.1		⁺²
pypi/backports-zstd@1.2.0 ⏵ 1.3.0	⁺⁴
pypi/gitpython@3.1.45 ⏵ 3.1.46	⁺⁸

View full report

github-actions · 2026-01-02T01:34:43Z

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.60.dev1

Docker image: socketdev/cli:pr-144

socket-security-staging · 2026-01-02T01:35:19Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability
pypi/gitpython@3.1.45 ⏵ 3.1.46	⁺¹
pypi/pre-commit@4.5.0 ⏵ 4.5.1
pypi/docutils@0.22.3 ⏵ 0.22.4	⁺¹
pypi/coverage@7.13.0 ⏵ 7.13.1	⁺¹
pypi/urllib3@2.6.1 ⏵ 2.6.2	⁺¹
pypi/backports-zstd@1.2.0 ⏵ 1.3.0	⁺¹
pypi/nodeenv@1.9.1 ⏵ 1.10.0	⁺¹
pypi/socketdev@3.0.22 ⏵ 3.0.25
pypi/soupsieve@2.8 ⏵ 2.8.1
pypi/uv@0.9.17 ⏵ 0.9.21
pypi/markdown@3.10
pypi/ruff@0.14.8 ⏵ 0.14.10
pypi/filelock@3.20.0 ⏵ 3.20.1		⁺²

View full report

socket-security-staging · 2026-01-02T01:35:21Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		License policy violation: pypi `docutils` License: License :: OSI Approved :: GNU General Public License (GPL) - This license classifier is not allowed by the applicable policy (docutils-0.22.4/PKG-INFO) License: License :: OSI Approved :: GNU General Public License (GPL) - This license classifier is not allowed by the applicable policy (docutils-0.22.4/pyproject.toml) From: uv.lock → `pypi/docutils@0.22.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore pypi/docutils@0.22.4`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `docutils` License: License :: OSI Approved :: GNU General Public License (GPL) - This license classifier is not allowed by the applicable policy (docutils-0.22.4.dist-info/METADATA) From: uv.lock → `pypi/docutils@0.22.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore pypi/docutils@0.22.4`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

dacoburn added the Product Changelog New features for the public changelog label Jan 2, 2026

dacoburn requested a review from a team as a code owner January 2, 2026 01:33

divmain approved these changes Jan 2, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add Slack formatter for Socket Facts reachability analysis #144

feat: add Slack formatter for Socket Facts reachability analysis #144

Uh oh!

dacoburn commented Jan 2, 2026

Uh oh!

socket-security bot commented Jan 2, 2026

Uh oh!

github-actions bot commented Jan 2, 2026

Uh oh!

socket-security-staging bot commented Jan 2, 2026

Uh oh!

socket-security-staging bot commented Jan 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

feat: add Slack formatter for Socket Facts reachability analysis #144

Are you sure you want to change the base?

feat: add Slack formatter for Socket Facts reachability analysis #144

Uh oh!

Conversation

dacoburn commented Jan 2, 2026

Why?

Public Changelog

Uh oh!

socket-security bot commented Jan 2, 2026

Uh oh!

github-actions bot commented Jan 2, 2026

Uh oh!

socket-security-staging bot commented Jan 2, 2026

Uh oh!

socket-security-staging bot commented Jan 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants