Security Scanning features + Slack Integration

The release brings Security Scanning features to Bytesafe registries, by adding a Vulnerability Scanner plugin and three security related policies.

We are also releasing a Slack integration which allows you to be notified when new vulnerabilities are found in your account.

You can now scan package versions in registries for known vulnerabilities by enabling the Vulnerability Scanner plugin.

When a package version has been scanned, a badge is displayed for the package. If known vulnerabilities are found an additional badge is also displayed with a link to the advisory information. Future releases will expand our database of advisories and add other types of security scanning such as detection of accidental inclusion of credentials.

security-scan-badges


Vulnerability Scanner additionally allows for two new related policies: Scanned and Secure Policies.

Scanned Policy allows only packages that have been scanned for security problems to be added to the registry.

Secure Policy prevents packages flagged for security problems to be added to the registry.

Additionally the Block Downstream Policy has been added. This policy prevents updates from downstream registries (i.e. disallows push/publish to registry) while still allowing packages to be pulled from upstreams. This is useful for registries that manage incoming packages (cache/firewall type registry).

security-scan-plugins

Enable Security scanning plugins in the Plugins tab (Select registry -> Plugins) in the Bytesafe web console.

Release notes:

  • Added Vulnerability Scanner Plugin
  • Added Slack Integration
  • Added Advisory Database
  • Added Scanned Policy
  • Added Secure Policy
  • Added Block Downstream Policy

Read more in our Introducing Security Scanning blog post

If you have any questions or experience any issues, we would appreciate your feedback!