Choosing Your Deployment
The Seal platform supports many different deployments. In this page we will help you choose the deployment method best suited to your organization's workflows and needs.
For the best experience, it is recommended that you integrate Seal's CLI into your CI.
With the CLI integration, there are several sealing methodologies available:
Automatic remediation - With this configuration, Seal's CLI will automatically replace any vulnerable package with its sealed version. This will happen automatically whenever the CI runs, and will require no further actions from the developers or the security team. It provides the highest level of automation, guaranteeing you're always up-to-date with the latest patches.
CLI with automatic pull requests - With this configuration, Seal's CLI will automatically replace vulnerable packages according to the settings set in the project's configuration file. When a vulnerable dependency is identified, Seal's GitHub app will automatically create a pull request updating this configuration file, which the developers may choose to merge according to their discretion. It provides a high level of automation, but unlike the automatic remediation each patch is recorded in the source control, and allows the developers to be in control of which packages are used.
CLI with manual pull requests - With this configuration, Seal's CLI will automatically replace vulnerable packages according to the settings set in the project's configuration file. Whenever a user decides to remediate a particular vulnerable dependency, they may manually edit (or use the Seal CLI to edit) the project's configuration file. This gives developers the most control, and does not require the GitHub app to be installed.
Without the CLI integration, there's only one way to use the sealed packages:
Manually editing your dependencies - For this configuration to work, you will have to configure Seal as your artifact server. Whenever a user decides to remediate a particular vulnerable dependency, they will have to manually edit the project's dependencies to use the sealed packages. Note that manually editing transitive dependencies can be tricky in some package managers.
Summary table:
| Sealing methodology | What is sealed? | Required integrations | Change tracking | Developer actions to fix something |
|---|---|---|---|---|
Everything | CI | No | Not involved | |
CLI with Automatic pull requests | Selectively | CI GitHub app | Yes | Approves pull request |
CLI with Manual pull requests | Selectively | CI | Yes | Manually edits file (or uses CLI) |
Manually edit dependencies | Selectively | Artifact server | Yes | Manually edits file |
Last updated