Security scanning for packages in Bytesafe is now available for all accounts!
With this addition Bytesafe adds support for scanning packages for known vulnerabilities as well as policies that restrict addition of packages to registries if they are unscanned or insecure.
We are also releasing a Slack integration which allows you to be notified when new vulnerabilities are found in your account.
Keep in mind! Securing your code supply chain depends not only on using security policies. You also need to have a well thought out upstream configuration.
For insights on upstream configurations that may suit your needs, read the introduction to upstreams.
Future releases will expand our database of advisories and add other types of security scanning such as detection of accidental inclusion of credentials.
Scanning for known vulnerabilities
When enabled, the Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from Bytesafe’s advisory database. Packages are scanned when the plugin is enabled, when a package is added to the registry and whenever a new advisory is added to the database.
All scanned packages will be marked with a SCANNED badge (we call these badges hints) in Bytesafe.
If a vulnerability is found, additional security issue badges will be added according to severity. The issue badges contain a link to the advisory with more detailed information.
In addition to the badges shown in Bytesafe, the information from the vulnerability scanner is also available from the npm audit command,
which is also called automatically everytime you run npm install:
$ npm install
added 746 packages from 393 contributors and audited 746 packages in 4.437s
found 18 vulnerabilities (16 low, 1 moderate, 1 high)
run `npm audit fix` to fix them, or `npm audit` for details
$
The plugin can be enabled for a registry from the Plugins settings page in Bytesafe.
Notifications
If you have enabled the new Slack integration (available from the Account Settings), a notification will be sent to Slack whenever a new vulnerability, or any other type of security problem, is found in a registry .
Policies
A policy in Bytesafe prevents users from performing certain actions based on a set of rules, such as preventing users from making changes to a read-only registry, or adding packages with known vulnerabilities.
Policies are managed from the Plugins settings page in Bytesafe.
Secure
The Secure policy prevents packages with known vulnerabilities to be added to any registry where the policy is enabled.
This policy can be added to a registry with the Vulnerability Scanner plugin enabled, packages will be scanned before this policy takes action.
Scanned
The Scanned policy only allows packages that have been scanned by the Vulnerability Scanner to be added to a registry.
This is useful to make sure that packages in a registry are scanned for security issues, regardless if they are pulled from an upstream or published by a user.
It’s a good practice to enable this for any registry containing releases to be used by other teams.
This policy can safely be added to a registry with the Vulnerability Scanner plugin enabled, packages will be scanned before this policy takes action.
Bytesafe also offers other policies that improve your code security and workflow!
Examples include: Freeze policy that locks a registry or Block Downstream policy that blocks push of package versions from downstream registries.
Security Scanning is available today!
To take advantage of the new features login to your account, select a registry and enable the plugins and policies in the Plugins page.
As always, if you have any questions contact the Bytesafe Support Team!
