Hey team, great to see someone tackle this project, and the idea to scan for new potential issues based on the code that changed is cool
Initial impressions when visiting the website though is I can't understand how it works exactly, for example the learn more page at https://socket.dev/integrations says Socket helps improve the posture, but it would be good to explain (perhaps with screenshots an actual example?) of it catching an issue.
Right now the integration is fairly slim, it just does typo squat warnings when you install a package that has a similar name to a more common package. The warning comes in the form of a comment in PRs that include additions of packages that meet this criteria.
We have a bunch of other detections listed here: https://socket.dev/npm/issue which have not been added to the GitHub App yet, but are available on a per-package basis for manual research at the moment. Over the next few release cycles we will be adding additional issue checks and warnings to the Github integration so that you can get a warning when dependencies add new capabilities, add suspicious things like analytics or install scripts or add unknown publishers to their maintainer list, or start publishing binary or obfuscated code. These will be automatically turned on and rolled out as we determine them to be not too noisy and provide interesting signals.
Initial impressions when visiting the website though is I can't understand how it works exactly, for example the learn more page at https://socket.dev/integrations says Socket helps improve the posture, but it would be good to explain (perhaps with screenshots an actual example?) of it catching an issue.