Vulnerability scanner plugin
Bytesafe supports scanning of packages for known vulnerabilities. In addition Bytesafe offers policies that restrict addition of packages to registries if they are unscanned or insecure.
When enabled, the Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from the Bytesafe advisory database.
Packages are scanned by the vulnerability scanner when:
- Plugin is enabled.
- New a package is added to the registry.
- A new advisory is added to the database.
All scanned packages will be marked with a SCANNED badge.
If a vulnerability is found, an additional RED badge will be added with a link to the advisory with more detailed information:
In addition to the badges shown in Bytesafe, the information from the vulnerability scanner is also available from the npm audit
command, which is also called automatically everytime you run npm install
Notifications
If you have enabled the Slack integration (available from the Account Settings), a notification will be sent to Slack whenever a new vulnerability, or any other type of security problem, is found in a registry.
Relations
The vulnerability scanner is a major security component of Bytesafe and such have multiple relations to other policies and integrations:
- Bytesafe also offers a Slack integration related to this plugin which allows you to be notified when new vulnerabilities are found in your workspace.
- Secure policy
- Scanned policy
Use cases
- Security scanning - scan packages for known vulnerabilities and get notified of potential security issues