Socket.dev Schema

SocketDevOrganization

Represents a Socket.dev Organization, the top-level tenant for all Socket.dev resources.

Ontology Mapping: This node has the extra label Tenant to enable cross-platform queries for organizational tenants across different systems (e.g., OktaOrganization, AzureTenant, GCPOrganization).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Unique organization identifier

slug

Organization slug used in API URLs

name

Organization display name

plan

Subscription plan (e.g. enterprise, team)

image

Organization image URL

Relationships

  • A SocketDevOrganization contains SocketDevRepository’s

    (SocketDevOrganization)-[RESOURCE]->(SocketDevRepository)

  • A SocketDevOrganization contains SocketDevDependency’s

    (SocketDevOrganization)-[RESOURCE]->(SocketDevDependency)

  • A SocketDevOrganization contains SocketDevAlert’s

    (SocketDevOrganization)-[RESOURCE]->(SocketDevAlert)

SocketDevRepository

Represents a repository monitored by Socket.dev for supply chain security.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Unique repository identifier

name

Repository name

slug

Repository slug

fullname

Full path including workspace (e.g. “goodenoughlabs/infra”)

description

Repository description

visibility

Repository visibility (public or private)

archived

Whether the repository is archived

default_branch

Default branch name

homepage

Repository homepage URL

created_at

Repository creation timestamp

updated_at

Repository last update timestamp

Relationships

  • A SocketDevRepository belongs to a SocketDevOrganization

    (SocketDevOrganization)-[RESOURCE]->(SocketDevRepository)

  • A SocketDevRepository monitors a CodeRepository (cross-module link via _ont_fullname)

    (SocketDevRepository)-[MONITORS]->(CodeRepository)

  • A SocketDevRepository has SocketDevDependency’s

    (SocketDevDependency)-[FOUND_IN]->(SocketDevRepository)

  • A SocketDevRepository has SocketDevAlert’s

    (SocketDevAlert)-[FOUND_IN]->(SocketDevRepository)

SocketDevDependency

Represents an open-source dependency tracked by Socket.dev across the organization’s repositories.

Ontology Mapping: This node has the extra label Dependency. It is linked to the abstract Package ontology node via (:Package)-[:DETECTED_AS]->(:SocketDevDependency) using the normalized_id field for cross-tool matching with Trivy and Syft.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Unique dependency identifier

name

Package name (e.g. lodash, express)

version

Package version

ecosystem

Package ecosystem (e.g. npm, pypi, maven, golang)

namespace

Package namespace (if applicable)

normalized_id

Normalized package ID for cross-tool matching (format: type|name|version)

direct

Whether this is a direct dependency (true) or transitive (false)

repo_slug

Repository slug where the dependency was found

repo_fullname

Full repository path where the dependency was found (e.g. goodenoughlabs/infra)

Relationships

  • A SocketDevDependency belongs to a SocketDevOrganization

    (SocketDevOrganization)-[RESOURCE]->(SocketDevDependency)

  • A SocketDevDependency is found in a SocketDevRepository

    (SocketDevDependency)-[FOUND_IN]->(SocketDevRepository)

  • A Package is detected as a SocketDevDependency (ontology link, defined in Package model)

    (Package)-[DETECTED_AS]->(SocketDevDependency)

SocketDevAlert

Represents a security alert from Socket.dev. Alerts cover vulnerabilities (CVE), supply chain risks (malware, typosquatting), quality issues, maintenance concerns, and license violations.

Ontology Mapping: This node has the extra label Risk to enable cross-platform queries for security findings across different systems (e.g., TrivyImageFinding, S1AppFinding, AWSInspectorFinding).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Unique alert identifier

key

Alert deduplication key

type

Alert type (e.g. criticalCVE, malware, unmaintained, obfuscatedFile)

category

Alert category: vulnerability, supplyChainRisk, quality, maintenance, license

severity

Alert severity: low, medium, high, critical

status

Alert status: open or cleared

title

Human-readable alert title

description

Detailed alert description

dashboard_url

Link to the alert in the Socket.dev dashboard

created_at

Alert creation timestamp

updated_at

Alert last update timestamp

cleared_at

Timestamp when the alert was cleared (if applicable)

cve_id

CVE identifier (when category is vulnerability)

cvss_score

CVSS score 0-10 (when category is vulnerability)

epss_score

EPSS probability score (when category is vulnerability)

epss_percentile

EPSS percentile (when category is vulnerability)

is_kev

Whether this is a CISA Known Exploited Vulnerability

first_patched_version

First version that fixes the vulnerability

action

Alert action from security policy (error, warn, monitor, ignore)

repo_slug

Repository slug where the alert was found

repo_fullname

Full repository path where the alert was found (e.g. goodenoughlabs/infra)

branch

Branch where the alert was found

artifact_name

Affected package name

artifact_version

Affected package version

artifact_type

Affected package ecosystem

Relationships

  • A SocketDevAlert belongs to a SocketDevOrganization

    (SocketDevOrganization)-[RESOURCE]->(SocketDevAlert)

  • A SocketDevAlert is found in a SocketDevRepository

    (SocketDevAlert)-[FOUND_IN]->(SocketDevRepository)

  • A SocketDevAlert has SocketDevFix’s

    (SocketDevFix)-[APPLIES_TO]->(SocketDevAlert)

SocketDevFix

Represents an available fix for a vulnerability alert. Modeled after the Trivy TrivyFix pattern, linking alerts to their remediation actions.

Ontology Mapping: This node has the extra label Fix to enable cross-platform queries for vulnerability fixes (e.g., TrivyFix).

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Unique fix identifier (vulnerability_id|purl|fixed_version)

purl

Package URL of the affected package (e.g. pkg:npm/lodash@4.17.21)

fixed_version

Version that fixes the vulnerability

update_type

Type of version update required: patch, minor, major, or unknown

vulnerability_id

CVE or GHSA identifier this fix addresses

fix_type

Fix availability: fixFound or partialFixFound

Relationships

  • A SocketDevFix belongs to a SocketDevOrganization

    (SocketDevOrganization)-[RESOURCE]->(SocketDevFix)

  • A SocketDevFix applies to a SocketDevAlert

    (SocketDevFix)-[APPLIES_TO]->(SocketDevAlert)

  • A SocketDevDependency should update to a SocketDevFix

    (SocketDevDependency)-[SHOULD_UPDATE_TO]->(SocketDevFix)