Vulnerability scanner plugin

Scan packages for known vulnerabilities

The Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from the Bytesafe advisory database.

The plugin can also be configured to optionally quarantine unwanted or risky packages.

Packages are scanned by the vulnerability scanner when:

  • Plugin is enabled (all package versions)
  • New a package is added to the registry
  • A new advisory is added to the database

When a vulnerability is found a new issue will be opened with a title, severity and description from the advisory.

Screenshot Package Card

In addition to the issues in Bytesafe, the information from the vulnerability scanner is also available from the npm audit command, which is also called automatically everytime a user runs npm install.

More detailed information about the advisory can be found in the created issue.

Settings

Please refer to quarantine configuration for quarantine specific settings.

Notifications

New issues are by default sent to all active users in the workspace. For more information see issue notifications.

If you have enabled the Slack integration, a notification will be sent to Slack whenever new issues are opened.

Read our dedicated supply chain security page for more information about identifying, tracking and remediating security issues in your software supply chain.