[APPSEC-1645] [Non-Prod] Add Socket Security Tier 1 reachability scan

[ping-huang1]

Summary

• Adds Socket Security scan workflow with Tier 1 reachability analysis
• Runs daily at 2 AM UTC and can be triggered manually
• Reachability analysis can be toggled via workflow dispatch input (enabled by default)

Details

The workflow:

• Checks out the repo and sets up Python 3.12 + Node 20
• Installs Socket CLI via uv
• Runs socketcli with Tier 1 reachability flags (--reach --reach-memory-limit 16384 --reach-timeout 3600)

Required secret: SOCKET_SECURITY_API_KEY (enterprise plan) with scopes: socket-basics, uploaded-artifacts, full-scans, repo

Test plan

• After merge, manually trigger the workflow via the "Run workflow" button to confirm it runs successfully

https://webflow.atlassian.net/browse/APPSEC-1645

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github/​astral-sh/​setup-uv@​e4db8464a088ece1b920f60402e813ea4de65b8f
	github/​actions/​setup-python@​a26af69be951a213d495a4c3e4e4022e16d87065
	github/​actions/​setup-node@​49933ea5288caeca8642d1e84afbd3f7d6820020

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Input argument leak: github astral-sh/setup-uv exposes an input argument into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize all input arguments before using them in dangerous operations. Use parameterized commands or APIs instead of string concatenation for shell commands. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable leak: github astral-sh/setup-uv passes an environment variable into sink Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What are GitHub Actions taint flows? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Validate and sanitize environment variables before using them in dangerous operations. Ensure environment variables come from trusted sources only, and use parameterized commands or APIs instead of string concatenation. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github actions/setup-python Location: Package overview From: .github/workflows/socket_reachability.yml → github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: github astral-sh/setup-uv Location: Package overview From: .github/workflows/socket_reachability.yml → github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore github/astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[semgrep-code-webflow]

Semgrep identified an issue in your code:

The GitHub action astral-sh/setup-uv@v4 uses a mutable version tag that could be rewritten by an attacker to inject malicious code into your workflow.

More details about this

The astral-sh/setup-uv@v4 action is pinned to a version tag instead of a full commit SHA. Version tags in GitHub are mutable—a maintainer can move or re-tag a release at any time. An attacker who compromises the astral-sh/setup-uv repository could overwrite the v4 tag to point to malicious code.

Exploit scenario:

1. An attacker compromises the astral-sh/setup-uv repository and gains push access
2. They force-push a commit containing a backdoor to rewrite the v4 tag
3. Your workflow runs and pulls the malicious code via uses: astral-sh/setup-uv@v4
4. The backdoor executes in the runner environment with access to secrets.SOCKET_SECURITY_API_KEY and your repository code
5. The attacker exfiltrates credentials and source code

Pinning to a specific commit SHA (e.g., @a1b2c3d4e5f6...) creates an immutable reference that cannot be altered after commit creation, even if the tag is rewritten.

To resolve this comment:

✨ Commit Assistant fix suggestion

Suggested change

	uses: astral-sh/setup-uv@v4
	# Pinned to v4 for security; see https://github.com/astral-sh/setup-uv/tags
	uses: astral-sh/setup-uv@ed597411d8f924073f98dfc5c65a23a2325f34cd

View step-by-step instructions

1. Replace the action version in uses: astral-sh/setup-uv@v4 with a full 40-character commit SHA from the official setup-uv repository. For example: uses: astral-sh/setup-uv@ed597411d8f924073f98dfc5c65a23a2325f34cd
2. (Optional but recommended) Add a comment with the pinned SHA to indicate why it's pinned and provide a link to the action/tag for reference, e.g. # Pinned to v4 for security; see https://github.com/astral-sh/setup-uv/tags

Pinning to a commit SHA makes the workflow more secure and prevents unexpected changes if the upstream action is updated.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by third-party-action-not-pinned-to-commit-sha.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[zmcnellis]

@ping-huang1 I think my team (developer platform) was incorrectly tagged on this PR. Maybe you meant delivery loop?

[zmcnellis]

I don't have context on this PR, but at a glance this seems redundant to have SOCKET_SECURITY_API_KEY and SOCKET_SECURITY_API_TOKEN pointed to the same secret?