Vulnerability scanning
Cloudsmith Security Scanning will automatically scan supported package types for CVEs upon upload of a package. You can also trigger subsequent scans manually via the Web UI, and via the Cloudsmith API.
You can use the results of a Cloudsmith Security Scan to drive other actions such as to quarantine a package, or as part of a package promotion workflow.
Scan results are available via the Web UI, the Cloudsmith API or even as a Webhook.
Supported Formats
Cloudsmith's Security Scanning feature is available for the following package formats:
Data Sources
| Language / Framework | Source |
|---|---|
| C, C++ | 1. GitLab Advisories Community |
| Dart | 1. GitHub Advisory Database |
| Go | 1. GitLab Security Advisories 2. Go Vulnerability Database |
| Hex | 1. GitHub Advisory Database |
| Java | 1. GitHub Maven Security Advisories 2. GitLab Security Advisories |
| .NET | 1. GitHub .NET Security Advisories |
| Node.js | 1. GitHub NodeJS Security Advisories 2. NodeJS Ecosystem Security Working Group |
| PHP | 1. GitHub PHP Security Advisories 2. Friends of PHP Security Advisories |
| Python | 1. GitHub Python Security Advisories 2. Safety DB |
| Ruby | 1. GitHub Ruby Security Advisories 2. Ruby Advisory Database |
| Rust | 1. RustSec Advisory Database |
| Swift | 1. GitHub Advisory Database |
NVD
| Name | Source |
|---|---|
| National Vulnerability Database | 1. NVD |
If an advisory does not provide severity information, it falls back to NVD's CVSS scoring.
Security Scan Results
The results of a security scan are available from the Cloudsmith Web UI, the Cloudsmith API and also via a Webhook.
Scan results via the Cloudsmith Web UI
You can find an overview of all the packages that have been scanned, or are awaiting an additional scan, via the "Compliance / Security" page in any repository:
The Security Scanning page shows a list of packages scanned, with information about:
- Maximum severity of vulnerabilities.
- Affected package.
- Number of vulnerabilities found.
- Time since last scan.
For more information and details, you can view the individual vulnerabilities found on the "Security" tab on any package detail page (alternatively, from the overview page click in the Vulnerabilities Found card):
Scan results via the Cloudsmith API
You can use the Cloudsmith Vulnerabilities API endpoints to return the scan results for an entire organization account, a specific repository, an individual package or just a single scan id.
Scan results via Webhook.
Please see our Webhooks documentation for details of how to create a webhook and the full range of package events that are supported.
Performing additional security scans
You can perform additional security scans after the scan that is performed when the package is uploaded using the Cloudsmith UI or API.
Additional security scans via the Cloudsmith Web UI
You can request an additional scan for an individual package from the package details page:
Additional security scans via the Cloudsmith API
You can request an additional security scan for a package using the packages_scan API endpoint.
Early Access: Recurring security scans
You can now also set up security scans to occur on a recurring basis. This feature is currently in Early Access. To set up recurring security scans for your workspace, contact us to be added to Early Access.