Scanned policy

Only allow packages scanned by the Vulnerability Scanner in a registry

The Scanned policy only allows packages that have been scanned by the vulnerability scanner plugin to be added to a registry.

This is useful to make sure that packages in a registry are scanned for security issues, regardless if they are pulled from an upstream or published by a user.

It’s a good practice to enable this for any registry containing releases to be used by other teams.

This policy can safely be added to a registry with the vulnerability scanner plugin enabled. Packages will be scanned before this policy takes action.

Use cases

  • Secure registries - Make sure that packages in a registry are scanned for security issues, regardless if they are pulled from an upstream or published by a user.