Security Scanning
Cloudsmith Security Scanning will automatically scan supported package types for CVEs upon upload of a package. You can also trigger subsequent scans manually via the Web UI, and via the Cloudsmith API.
You can use the results of a Cloudsmith Security Scan to drive other actions such as to quarantine a package, or as part of a package promotion workflow.
Scan results are available via the Web UI, the Cloudsmith API or even as a Webhook.
Supported Formats
Cloudsmith's Security Scanning feature is available for the following package formats:
Data Sources
Language / Framework | Source |
---|---|
C, C++ | 1. GitLab Advisories Community |
Go | 1. GitLab Security Advisories |
Hex | 1. GitHub Advisory Database |
Java | 1. GitHub Maven Security Advisories 2. GitLab Security Advisories |
.NET | 1. GitHub .NET Security Advisories |
Node.js | 1. GitHub NodeJS Security Advisories 2. NodeJS Ecosystem Security Working Group |
PHP | 1. GitHub PHP Security Advisories 2. Friends of PHP Security Advisories |
Python | 1. GitHub Python Security Advisories 2. Safety DB |
Ruby | 1. GitHub Ruby Security Advisories 2. Ruby Advisory Database |
Rust | 1. RustSec Advisory Database |
Swift | 1. GitHub Advisory Database |
Security Scan Results
The results of a security scan are available from the Cloudsmith Web UI, the Cloudsmith API and also via a Webhook.
Scan results via the Cloudsmith Web UI
You can find an overview of all the packages that have been scanned, or are awaiting an additional scan via the "Security Scanning" page in any repository:
The Security Scanning page shows a breakdown of the number of packages scanned/not scanned, the age of scans (how long ago they were performed) and the pass/fail count overall.
For each listed package, you can also see the number of vulnerabilities found and the maximum severity of those found.
For more information and details, you can view the individual vulnerabilities found on the "Scans" tab on any package detail page:
Scan results via the Cloudsmith API
You can use the Cloudsmith Vulnerabilities API endpoints to return the scan results for an entire organization account, a specific repository, an individual package or just a single scan id.
Scan results via Webhook.
Please see our Webhooks documentation for details of how to create a webhook and the full range of package events that are supported.
Performing additional security scans
You can perform additional security scans after the scan that is performed when the package is uploaded using the Cloudsmith UI or API.
Additional security scans via the Cloudsmith Web UI
You can select one or more packages that you wish to security scan in the packages list in any repository:
You can also scan an individual package from the package details page:
Additional security scans via the Cloudsmith API
You can request an additional security scan for a package using the packages_scan API endpoint.
Updated 7 months ago