Vulnerability scanner plugin

Scan packages for known vulnerabilities

The Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from the Bytesafe advisory database.

Packages are scanned by the vulnerability scanner when:

  • Plugin is enabled (all package versions)
  • New a package is added to the registry
  • A new advisory is added to the database

All scanned packages will be marked as SCANNED in the package card.

When a vulnerability is found, an additional Issues badge is added with an associated severity.

security-issue-badges

In addition to the badges shown in Bytesafe, the information from the vulnerability scanner is also available from the npm audit command, which is also called automatically everytime a user runs npm install.

Security issues are links to the specific advisory with more detailed information.

security-advisory-example

Security issues overview

An overview of identified security issues are displayed on registry and workspace dashboards.

To filter and track packages that contain security issues, click the Security issues card.

security-issues-overview

To further filter issues according to severity, click the number associated with each severity (High, Moderate, Low).

Notifications

If you have enabled the Slack integration (available from the Account Settings), a notification will be sent to Slack whenever a new vulnerability, or any other type of security problem, is found in a registry.

Relations

The vulnerability scanner is a major security component of Bytesafe and such have multiple relations to other policies and integrations:

  • Overview and identify security issues with Dashboards
  • Slack integration related to this plugin allows notifications when new vulnerabilities are found in your workspace
  • Secure policy - activate to prevent package versions with known vulnerabilities from being added to a registry
  • Scanned policy - prevent unscanned package versions in registries

Use cases

Security scanning

Scan packages for known vulnerabilities and get notified of potential security issues. Identify, track and remediate security issues in your software supply chain.

Read our dedicated supply chain security page for more information.