Introducing Security Scanning

Cover image

Security scanning for packages in Bytesafe is now available for all accounts!

With this addition Bytesafe adds support for scanning packages for known vulnerabilities as well as policies that restrict addition of packages to registries if they are unscanned or insecure.

We are also releasing a Slack integration which allows you to be notified when new vulnerabilities are found in your account.

Keep in mind! Securing your code supply chain depends not only on using security policies. You also need to have a well thought out upstream configuration.

For insights on upstream configurations that may suit your needs, read the introduction to upstreams.

Future releases will expand our database of advisories and add other types of security scanning such as detection of accidental inclusion of credentials.

Scanning for known vulnerabilities

When enabled, the Vulnerability Scanner plugin scans all packages in a registry for known vulnerabilities from Bytesafe’s advisory database. Packages are scanned when the plugin is enabled, when a package is added to the registry and whenever a new advisory is added to the database.

All scanned packages will be marked with a SCANNED badge (we call these badges hints) in the web console.

If a vulnerability is found, an additional red badge will be added with a link to the advisory with more detailed information:

Example SCANNED and CWE badge

In addition to the badges shown in the console, the information from the vulnerability scanner is also available from the npm audit command, which is also called automatically everytime you run npm install:

$ npm install

added 746 packages from 393 contributors and audited 746 packages in 4.437s

found 18 vulnerabilities (16 low, 1 moderate, 1 high)

run `npm audit fix` to fix them, or `npm audit` for details

$

The plugin can be enabled for a registry from the Plugins registry settings page in the web console.

Notifications

If you have enabled the new Slack integration (available from the Account Settings), a notification will be sent to Slack whenever a new vulnerability, or any other type of security problem, is found in a registry .

Policies

A policy in Bytesafe prevents users from performing certain actions based on a set of rules, such as preventing users from making changes to a read-only registry, or adding packages with known vulnerabilities.

Policies are managed from the Plugins registry settings page in the web console.

Secure

The Secure policy prevents packages with known vulnerabilities to be added to any registry where the policy is enabled.

This policy can be added to a registry with the Vulnerability Scanner plugin enabled, packages will be scanned before this policy takes action.

Scanned

The Scanned policy only allows packages that have been scanned by the Vulnerability Scanner to be added to a registry.

This is useful to make sure that packages in a registry are scanned for security issues, regardless if they are pulled from an upstream or published by a user.

It’s a good practice to enable this for any registry containing releases to be used by other teams.

This policy can safely be added to a registry with the Vulnerability Scanner plugin enabled, packages will be scanned before this policy takes action.

Bytesafe also offers other policies that improve your code security and workflow!

Examples include: Freeze policy that locks a registry or Block Downstream policy that blocks push of package versions from downstream registries.

Security Scanning is available today!

To take advantage of the new features login to your account, select a registry and enable the plugins and policies in the Plugins page.

As always, if you have any questions contact the Bytesafe Support Team!