[APPSEC-1646][Non-Prod] Add Socket Security Scan with Tier 1 Reachability Analysis

[ping-huang1]

Summary

• Adds Socket Security Scan GitHub Actions workflow (.github/workflows/socket_reachability.yml)
• Runs daily at 2 AM UTC and can be triggered manually via workflow_dispatch
• Supports Tier 1 reachability analysis to identify which vulnerabilities are actually reachable in the code
• Requires SOCKET_SECURITY_API_KEY secret with enterprise plan (scopes: socket-basics, uploaded-artifacts, full-scans, repo)

Test plan

• Ensure SOCKET_SECURITY_API_KEY secret is configured in the repo settings
• After merge, manually trigger the workflow via the "Run workflow" button to confirm it runs successfully

https://webflow.atlassian.net/browse/APPSEC-1646

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​astral-sh/​setup-uv@​e4db8464a088ece1b920f60402e813ea4de65b8f
	github/​actions/​setup-python@​a26af69be951a213d495a4c3e4e4022e16d87065
	github/​actions/​setup-node@​49933ea5288caeca8642d1e84afbd3f7d6820020
	github/​actions/​checkout@​34e114876b0b11c390a56381ad16ebd13914f8d5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Input argument leak: github astral-sh/setup-uv exposes an input argument into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize all input arguments before using them in dangerous operations. Use parameterized commands or APIs instead of string concatenation for shell commands. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable leak: github astral-sh/setup-uv passes an environment variable into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize environment variables before using them in dangerous operations. Ensure environment variables come from trusted sources only, and use parameterized commands or APIs instead of string concatenation. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report