JupiterOne Secures Immutable Infrastructure with Socket’s Streamlined CI/CD Security

KK

Kenneth KayeLead Security Engineer, JupiterOne

About JupiterOne#

JupiterOne is a cloud-native cybersecurity platform that enables organizations to manage and visualize their security posture and asset relationships. The team operates under a rigorous security philosophy, with a fully immutable production environment and a modern DevSecOps pipeline driven by automation and enforcement.

Kenneth Kaye, the lead security engineer, wears many hats: architecting infrastructure security, building automation, and overseeing the company's internal security tooling, operating within a lean, efficient team.

The Challenge#

Before adopting Socket, JupiterOne had experimented with various GitHub-native tools, open source scanners, and SaaS security platforms. However, they struggled with:

• Noisy and incomplete vulnerability feedback from traditional SAST/DAST tools
• High administrative overhead and processing costs for multiple disjointed solutions
• Difficulty customizing thresholds for dependency risk in a nuanced way
• Lack of actionable, trustable signals for developers

"The real issues we ran into with other tools were cost-effectiveness — were they worth the bang for the buck — and how much processing and administrative overhead they required," Kenneth said.

"In a cloud-native startup, processing time is money, so we have to be very strategic about where we spend it. A lot of those tools just didn’t provide the value we needed. That’s why we switched to Socket. We had tried a variety of different solutions, but Socket turned out to be the most cost-effective and efficient, replacing all the others."

Socket Enables Policy-Driven CI/CD Security#

JupiterOne’s security model centers on full automation and enforcement. Their immutable production environments are only updated via CI/CD, and no manual changes are allowed post-deployment.

Socket fit perfectly into this model:

• GitHub Actions-native integration let them embed Socket into every PR workflow with minimal setup
• Administrative policy controls allowed the team to customize enforcement based on dependency depth and severity
• Reachability analysis helped distinguish between theoretical and actual risk for a major reduction in alert fatigue

“The number of false positives went down quite a lot because we were able to set up filters for ‘this is below our threshold of risk and so we don't care about it,'" Kenneth said.

“We had the granularity in the Socket console to be able to say yes this is okay, no that's not okay, and form it exactly to our security appetite.”

As a result, Socket has become a key part of JupiterOne’s compliance strategy. The CI/CD enforcement model allows them to show auditors exactly how dependency risk is managed and prove it across hundreds of thousands of PRs over the last six months.

“We just point to the GitHub config, the Socket policy, and say, 'Look: it literally can’t ship unless this check passes.'”

Fast Integration, Low-Friction UX#

Despite their lean team and limited time, integrating Socket took just a few hours. Most of the effort went toward verifying edge cases and confirming full enforcement across the pipeline.

“Setup was simple," Kenneth said. "We pulled out all the old stuff, dropped in Socket, and verified a few edge cases.”

The initial learning curve was addressed through Socket’s responsive support team. Kenneth specifically highlighted the usefulness of tutorial videos Socket produced in response to his feedback.

“We don’t always have time to read docs but we can multitask with videos," he said. "That was a huge win.”

Kenneth praised Socket’s user interface for aligning with established design conventions rather than introducing unnecessary complexity. For a security engineer juggling many tools, that consistency made the product easier to adopt and reduced cognitive overhead.

"I really appreciate that Socket isn’t trying to look different just for the sake of it," he said. "The UX doesn’t try to stand out. It just works the way it should. I don’t have to waste mental space remembering how to use it, which is rare for security tools.”

Socket's Reachability Delivers Fewer False Positives, Faster Development#

One of the most impactful improvements for JupiterOne came from Socket’s reachability analysis, a feature that determines whether vulnerable functions in dependencies are actually invoked by the application. This allowed the team to distinguish between theoretical and real risks, significantly reducing false positives and manual triage work.

KK

Kenneth KayeLead Security Engineer, JupiterOne

Socket’s reachability-based filtering and risk policy engine has dramatically improved JupiterOne's developer experience:

• Significant drop in false positives, enabling engineers to fix real issues without noise
• Faster reviews, thanks to automatic pass/fail logic enforced by the CI/CD pipeline
• Reduced manual scoring, replacing their previous custom risk scoring formula

“The reduction of false positives is a pretty big one, especially with the ability to determine whether or not functions are actually being accessed from those dependencies," Kenneth said. "That’s been a huge benefit. It lets us focus only on what matters.”

By combining reachability insights with customizable policy thresholds, the team was able to set clear rules about what should block a deployment and ignore the rest. This eliminated the need for a complex internal risk scoring system they had previously relied on, which Kenneth described as difficult to maintain and interpret.

“We used to have this whole scoring metric around how risky a change was, based on output from a bunch of tools," he said. "It became hard to tell if the number was even accurate. Socket replaced that with something much clearer and way faster.”