Remote Mode

Rules are defined and stored on the Seal Server via the Seal UI.

  • Pros: No code changes or PRs required. Security organizations (Sealer or Admin permissions) can apply rules to multiple repositories instantly. Ideal for scaling remediation without engineering bottlenecks.

  • Cons: Changes are not tracked in the project's source control. The Seal Platform becomes the source of truth.

seal fix --mode=remote

Handling Vulnerability Scanners

Using sealed packages can sometimes confuse vulnerability scanners, as they may look at the package version number and assume it is still vulnerable.

Choose the strategy that fits your auditing requirements:

Seal supports direct API integrations with a variety of major scanners (Snyk, BlackDuck, GitHub Advanced Security, Ox Security, etc.).

  • How it works: The Seal CLI communicates with your scanner's API to synchronize findings, marking specific vulnerabilities as "remediated" within the scanner's dashboard.

  • Best for: Internal scans and operational dashboards.

The CLI renames the package artifact during installation (e.g., pcre becomes seal-pcre).

  • How it works: Since the remediated version is effectively a fork, renaming it makes the change explicit. Scanners simply won't find the vulnerable package name in the manifest or binary.

  • Best for: External audits, customer-run scans, and scanners not supported by API integration.

seal fix --mode=xxxx --

Strategy 3: Manual Ignore

Manually marking alerts as "False Positive" or "Ignored" in your scanner's UI.

  • Best for: Small teams or one-off exceptions.

Last updated