Vulnerability scanner plugin

Scan packages for known vulnerabilities

Bytesafe supports scanning packages for known vulnerabilities as well as policies that restrict addition of packages to registries if they are unscanned or insecure.

When enabled, the Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from the Bytesafe advisory database.

Packages are scanned by the vulnerability scanner when:

  • Plugin is enabled.
  • New a package is added to the registry.
  • A new advisory is added to the database.

All scanned packages will be marked with a SCANNED badge (called badges hints) in the web console.

If a vulnerability is found, an additional RED badge will be added with a link to the advisory with more detailed information:

vuln-badges

In addition to the badges shown in the console, the information from the vulnerability scanner is also available from the npm audit command, which is also called automatically everytime you run npm install

Notifications

If you have enabled the Slack integration (available from the Account Settings), a notification will be sent to Slack whenever a new vulnerability, or any other type of security problem, is found in a registry.

Relations

The vulnerability scanner is a major security component of Bytesafe and such have multiple relations to other policies and integrations:

Use cases

  • Security scanning - scan packages for known vulnerabilities and get notified of potential security issues