Documentation
Open Cloudsmith

Supply chain security

Continuous Security

Continuous Security is a feature that provides an hourly feed of vulnerability data from multiple sources (see refresh intervals for each source). When new vulnerabilities are published, we check them against existing artifacts in your Cloudsmith repositories. This enables faster identification of affected artifacts compared to scheduled or on-demand vulnerability scanning.

Note

📘 Continuous Security is in Early Access (EA) through Cloudsmith’s Enterprise Policy Management.

Vulnerability Scanning vs. Continuous Security

Vulnerability Scanning

Cloudsmith scans artifacts as they are introduced into a repository for the first time. This scan analyzes the components of a package and then checks for vulnerabilities associated with them, which are listed in a vulnerability report. Note that when new vulnerabilities are disclosed, any existing report for impacted artifacts won’t flag them; a re-scan will be required to get the most up-to-date information.

Continuous Security

Note

📘 Continuous Security is only available for Cloudsmith workspace where EPM has been enabled.

When artifacts are first scanned, Cloudsmith stores the list of identified components. Continuous Security uses that stored list to check for vulnerabilities using an advisory database that is refreshed hourly. When a new threat is discovered that affects an artifact in your workspace, Continuous Security will flag it via EPM without the need for a full manual or scheduled re-scan.

For more information about using EPM to address vulnerabilities identified by Continuous Security, see Getting Started with Enterprise Policy Management and Rego Recipes.

Details of the specific vulnerability data available via Continuous Security are available in our API documentation under the vulnerabilities object in the PolicyInputV0 schema.

Data Sources

Continuous Security uses the following data sources:

SourceRefresh Interval
Common Vulnerabilities and Exposures (CVE) databases aggregated in Aqua Trivy DB6 hours
Exploit Prediction Scoring System (EPSS)24 hours

Supported Formats

Continuous Security is available for all package formats supported by Cloudsmith’s Vulnerability Scanning feature.