Detect dependency vulnerabilities

You can regularly check for security vulnerabilities in chains and vault packages.

In this topic:

Dependency vulnerability data

When you run a chain or deliver a package to a vault, dependency vulnerabilities that the chain or package have are automatically detected and reported.

For enhanced security, you can turn on continuous vulnerability detection for chains and packages. This way, any dependency vulnerabilities are identified and reported as soon as they are discovered in the future. By default, the ongoing vulnerability check is enabled for remote vaults.

To keep up to date with newly found security issues, information about dependency vulnerabilities is regularly gathered from the following sources:

• Vulnerability database of the National Institute of Standards and Technology (NIST)
• Sonatype OSS Index
• npm Security Advisories

Back to top

Run continuous vulnerability checks

You can enable to continuously check for vulnerabilities in a selected vault or chain.

To run ongoing vulnerability checks in selected chains:

1. Add one or more dependency detection steps to the chain, for example:

   • CycloneDx Dependency Detector

   • Maven Dependency Detection

   • Npm Dependency Detection

     For details about these steps, see Dependency.

     For details about adding plugin steps to a chain, see Create chains.

2. Set the option for detecting dependency vulnerabilities in the chain.

   For details, see Enable ongoing vulnerability detection.

To run ongoing vulnerability checks in selected vault packages:

• Enable the Dependency Vulnerability Check option in vault settings. For details, see Edit vault settings.

Back to top

See also:

• Create and manage vaults