From 106abc1078c13f1d6a6efdd1240b5a05d76be392 Mon Sep 17 00:00:00 2001
From: Nick Nisi <nick.nisi@workos.com>
Date: Thu, 19 Mar 2026 10:00:39 -0500
Subject: [PATCH] ci: add Socket Tier 1 Reachability Analysis workflow

Add daily Socket security scan with manual dispatch support.
Runs `socket scan create` with `--reach` for full application
reachability analysis against the workos org, matching the existing
workflow in authkit-nextjs. Requires the SOCKET_API_KEY secret.
---
 .github/workflows/socket-tier1-analysis.yml | 40 +++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 .github/workflows/socket-tier1-analysis.yml

diff --git a/.github/workflows/socket-tier1-analysis.yml b/.github/workflows/socket-tier1-analysis.yml
new file mode 100644
index 0000000..b60357c
--- /dev/null
+++ b/.github/workflows/socket-tier1-analysis.yml
@@ -0,0 +1,40 @@
+name: Socket Tier 1 Reachability Analysis
+
+on:
+  schedule:
+    # every day at 12 AM
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+    inputs:
+      tags:
+        description: 'Manually run vulnerability analysis'
+      distinct_id:
+        description: 'Required by the return-dispatch action'
+        required: true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  socket-vulnerability-analysis:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+
+    steps:
+      - name: Check distinct_id
+        run: |
+          echo "distinct_id: ${{ github.event.inputs.distinct_id }}"
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Install Socket CLI
+        run: npm install -g socket
+      - name: Run Tier 1 reachability scan
+        env:
+          SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_API_KEY }}
+        run: |
+          # Full application reachability (Tier 1)
+          socket scan create . \
+            --reach \
+            --org "workos" \
+            --no-interactive