Vulnerability scanner plugin
Bytesafe supports scanning packages for known vulnerabilities as well as policies that restrict addition of packages to registries if they are unscanned or insecure.
When enabled, the Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from the Bytesafe advisory database.
Packages are scanned by the vulnerability scanner when:
- Plugin is enabled.
- New a package is added to the registry.
- A new advisory is added to the database.
All scanned packages will be marked with a SCANNED badge (called badges hints) in the web console.
If a vulnerability is found, an additional RED badge will be added with a link to the advisory with more detailed information:
In addition to the badges shown in the console, the information from the vulnerability scanner is also available from the npm audit command, which is also called automatically everytime you run npm install
Notifications
If you have enabled the Slack integration (available from the Account Settings), a notification will be sent to Slack whenever a new vulnerability, or any other type of security problem, is found in a registry.
Relations
The vulnerability scanner is a major security component of Bytesafe and such have multiple relations to other policies and integrations:
- Bytesafe also offers a Slack integration related to this plugin which allows you to be notified when new vulnerabilities are found in your account.
- Secure policy
- Scanned policy
Use cases
- Security scanning - scan packages for known vulnerabilities and get notified of potential security issues