Step-by-Step Setup Guide

This guide walks you through the initial account setup, token generation, and connecting your first project to Seal Security.

Account Creation & Token Generation

Follow these steps to access the platform and prepare your environment.

Access the Invite: Click on the Sign in > button in the Seal Security invite email you received.
Log In: Log in to the platform using your password or social login credentials.
Start Onboarding: We're starting the onboarding flow. Click Next > to begin.
Generate Artifact Server Token: First, you must generate a token to Seal's artifact server. This allows you to download our sealed versions.
- a. Generate: Click on Generate token.
- b. Copy: Copy the newly generated token using the copy icon at the right of the text box.
  Important: You will need this token later. While it should eventually be saved in a secure location (like a password manager or secret store), copy it now for immediate use in the next steps.
- c. Download CLI: Download the appropriate CLI binary for your machine:
  - Mac (Apple Silicon)
  - Mac (Intel)
  - Linux
- d. Continue: Click Next >.
Click Maybe later to skip the GitHub integration.
View Protection Page: You will land on the Protection screen.
- Status: Since no projects are connected yet, we are not showing any results.
- Next Step: We are now going to populate this data using the CLI.

Connect Your Codebase

Click Next > and then click on GitHub.
Grant Access & Install Bot: You need to give the Seal Security Bot access to the relevant repositories:
1. Connect to your GitHub account.
2. Install the Seal Security Bot. In this screen, you will be asked to select the relevant GitHub organization, and then decide whether to give the Seal app access to all its repositories or to select specific ones.
3. After you've selected which repositories you're giving access to, you'll return to the onboarding flow.
Choose your import method: Automatic (Bulk) or Manual (One-by-one).
Path A1: Manual Import
1. Paste the path to your repository. You can add up to 3 repositories at once.
2. Give each repository a name.
3. Click Import.
Path A2: Automatic (Bulk) Import
1. Review the list of dependency files detected in your repository.
2. Select the specific dependency files you wish to scan.
3. Click Import.
View Protection Page: After importing, you will land on the Projects page.

Note: Each dependency file generates its own "Project" on the Seal platform. It may take some time for Seal to scan the dependency files.

Integrate the Seal CLI

To start fixing vulnerabilities (and populate the Protection page), you must integrate the CLI into your build pipeline.

The Golden Rule: In all cases, the CLI step must be added immediately after dependencies are pulled/installed (from standard registries or your artifact server) but before the final build/compilation.

Important Configuration: For all integration methods, you must ensure the following environment variables are set:

SEAL_TOKEN: The token you generated earlier.
SEAL_PROJECT: The ID of your project on the Seal platform (e.g., "poc").

Add the seal fix command (using the CLI you downloaded in Part 1) as a shell execution step.

npm

npm install
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv package-lock.json
npm run build

pnpm

pnpm install
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv pnpm-lock.yaml
pnpm run build

yarn

yarn install
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv yarn.lock
yarn run build

Maven

# Resolve dependencies first
mvn dependency:resolve
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv pom.xml
mvn package

Gradle

./gradlew dependencies
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv build.gradle
./gradlew build

pip (Python)

pip install -r requirements.txt
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv requirements.txt
# (Proceed to run application or build wheel)

Poetry (Python)

poetry install
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv poetry.lock
poetry build

go mod download
# <--- Run Seal CLI Here
export SEAL_TOKEN=<your-token>
export SEAL_PROJECT="poc"
export SEAL_USED_SEAL_NAMES=1
seal fix --mode all -vvvv go.mod
go build

Use the official Seal Security Action. Insert the step uses: seal-security/seal-action at the correct point in your .github/workflows/main.yml.

Ensure you have added your token to the repository secrets as SEAL_TOKEN.

npm

- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: npm install

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv package-lock.json'

- run: npm run build

pnpm

- uses: actions/checkout@v3
- uses: pnpm/action-setup@v2
- run: pnpm install

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv pnpm-lock.yaml'

- run: pnpm run build

yarn

- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- run: yarn install

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv yarn.lock'

- run: yarn run build

Maven

- uses: actions/checkout@v3
- uses: actions/setup-java@v3
  with:
    distribution: 'temurin'
    java-version: '17'
- run: mvn dependency:resolve

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv pom.xml'

- run: mvn package

Gradle

- uses: actions/checkout@v3
- uses: actions/setup-java@v3
  with:
    distribution: 'temurin'
    java-version: '17'
- run: ./gradlew dependencies

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv build.gradle'

- run: ./gradlew build

pip (Python)

- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- run: pip install -r requirements.txt

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv requirements.txt'

# Proceed to run tests or build

Poetry (Python)

- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- run: pip install poetry
- run: poetry install

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv poetry.lock'

- run: poetry build

- uses: actions/checkout@v3
- uses: actions/setup-go@v4
- run: go mod download

- name: Run Seal Fix
  uses: seal-security/seal-action@v1
  env:
    SEAL_PROJECT: 'poc'
    SEAL_USED_SEAL_NAMES: '1'
  with:
    token: ${{ secrets.SEAL_TOKEN }}
    args: '--mode all -vvvv go.mod'

- run: go build -v ./...

If you build inside Docker, add a RUN command for the Seal CLI. Note: You must ensure the Seal CLI is available inside the container (either COPY it in or wget it) and that the SEAL_TOKEN is available as a build argument.

npm

# 1. Install dependencies
RUN npm install

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv package-lock.json

# 3. Build
RUN npm run build

pnpm

# 1. Install dependencies
RUN pnpm install

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv pnpm-lock.yaml

# 3. Build
RUN pnpm run build

yarn

# 1. Install dependencies
RUN yarn install

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv yarn.lock

# 3. Build
RUN yarn run build

Maven

# 1. Resolve dependencies
RUN mvn dependency:resolve

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv pom.xml

# 3. Package
RUN mvn package

Gradle

# 1. Resolve dependencies
RUN ./gradlew dependencies

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv build.gradle

# 3. Build
RUN ./gradlew build

pip (Python)

# 1. Install dependencies
RUN pip install -r requirements.txt

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv requirements.txt

# 3. Entrypoint
CMD ["python", "app.py"]

Poetry (Python)

# 1. Install dependencies
RUN poetry install

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv poetry.lock

# 3. Build/Run
RUN poetry build

# 1. Download modules
RUN go mod download

# 2. Run Seal Fix
ARG SEAL_TOKEN
ENV SEAL_TOKEN=$SEAL_TOKEN
ENV SEAL_PROJECT="poc"
ENV SEAL_USED_SEAL_NAMES=1
RUN ./seal fix --mode all -vvvv go.mod

# 3. Build
RUN go build -o /app/main .

Snyk Integration

export SEAL_SNYK_URL="https://api.snyk.io" # Default
export SEAL_SNYK_TOKEN="<Snyk access token>"
export SEAL_SNYK_ORG_ID="<ID of your Snyk organization>"
export SEAL_SNYK_PROJECT_ID="<ID of the Snyk project that is scanned>"

BlackDuck Integration

export SEAL_BLACKDUCK_URL="<Black Duck server's URL>"
export SEAL_BLACKDUCK_TOKEN="<Black Duck access token>"
export SEAL_BLACKDUCK_PROJECT="<Name of the project on Black Duck>"
export SEAL_BLACKDUCK_PROJECT_VERSION_NAME="<Git branch that is scanned>"

GitHub Advanced Security / Dependabot

export SEAL_DEPENDABOT_URL="<Dependabot server's URL>"
export SEAL_DEPENDABOT_TOKEN="<Dependabot access token>"
export SEAL_DEPENDABOT_OWNER="<Name of the GitHub organization>"
export SEAL_DEPENDABOT_REPO="<Name of the GitHub repository>"

Ox Security

export SEAL_OX_URL="https://api.cloud.ox.security/api/apollo-gateway"
export SEAL_OX_TOKEN="<Ox access token>"
export SEAL_OX_APPLICATION="<Name of the Ox application>"
export SEAL_OX_EXCLUDE_WHEN_HIGH_CRITICAL_FIXED="true"

Next Steps

Once you have integrated the CLI into your pipeline, follow these steps to see the results.

Trigger the Pipeline: Run your build pipeline (Jenkins job, GitHub Action workflow, or Docker build). This execution will trigger the seal fix command, which scans your dependencies and reports back to the Seal Platform.
View the Protection Page: Navigate to the Protection Page.
- If the page is already open and empty, refresh it. You should now see a list of detected vulnerabilities.
Remediate Vulnerabilities: Now that we have visibility, let's look at how fixes are applied based on the mode you selected.
- If you chose mode: all: The initial run of the seal fix command has likely already replaced vulnerable packages.
  - Fixed: Vulnerabilities we successfully patched will appear with a green Sealed label on the right side of the row.
  - Pending: For packages where a sealed version doesn't exist yet, you will see a Generate Fix button.
- If you chose mode: remote: No code changes happen automatically. You have full control via the UI.
  - Available Fixes: Packages with a ready-to-use sealed version will show a blue Seal button.
  - Action: Click the Seal button, then confirm by clicking Seal package in the dialog box. This creates a sealing rule on the server.
  - Apply: Run your pipeline again. The CLI will now pick up the new rule, replace the package, and the status in the UI will change to a green Sealed label.
  - Pending: Packages without an existing sealed version will show a Generate Fix button.
- If you chose mode: local: Instructions for local mode configuration will be provided separately.

Configure the Artifact Server

To pull sealed versions, you must configure your environment to trust and prioritize Seal's repository. Choose the scenario that matches your infrastructure.

Scenario A: No Private Artifact Server

Use this method if your developers/CI pull directly from public registries (npm, PyPI, Maven Central, etc.).

You will either add Seal as an additional registry or set it as the default registry, depending on the package manager's capabilities. Seal proxies all upstream traffic, ensuring standard packages are also available.

Prerequisites: In all configurations below, you will need the following values:

$SEAL_TOKEN: The Access Token you generated in the onboarding flow.
$SEAL_PROJECT: Your Project ID (e.g., poc). This is used for reporting usage.

npm & Yarn Classic (v1)

We recommend using a per-project configuration by creating or editing the .npmrc file in your project's root directory.

Configuration Steps:

Prepare your credentials:
- Project Identifier ($SEAL_PROJECT): e.g., poc.
- Base64 Token: You must encode your Seal Access Token ($SEAL_TOKEN) in base64.
  - macOS: echo -n $SEAL_TOKEN | base64
  - Linux (Ubuntu): echo -n $SEAL_TOKEN | base64 -w0

Edit .npmrc: Add the following content to replace the default registry with Seal Security.

registry=[https://npm.sealsecurity.io/](https://npm.sealsecurity.io/)
//npm.sealsecurity.io/:username=$SEAL_PROJECT
//npm.sealsecurity.io/:_password=<YOUR_BASE64_TOKEN>
//npm.sealsecurity.io/:always-auth=true

Verify: Run the following command to check authentication:
```
npm -d ping
```
Success Output: npm notice PONG ... npm info ok

Yarn v2

The configuration is saved in the .yarnrc.yml file in the project's root.

Configuration Steps:

Prepare your Authentication String: You must Base64 encode the string $SEAL_PROJECT:$SEAL_TOKEN.

Edit .yarnrc.yml: Set the following configuration, replacing <BASE64_STRING> with your encoded credentials.

npmRegistries:
  "https://npm.sealsecurity.io":
    npmAlwaysAuth: true
    npmAuthIdent: "<BASE64_STRING>"

npmRegistryServer: "https://npm.sealsecurity.io"

Check Yarn Path: Ensure yarnPath in the file points to the correct version (e.g., .yarn/releases/yarn-{version}.cjs).

Yarn v3+

The configuration is saved in the .yarnrc.yml file in the project's root.

Configuration Steps:

Prepare your Authentication String: Use the plain string "$SEAL_PROJECT:$SEAL_TOKEN". No encoding is required.

Edit .yarnrc.yml: Add the following configuration.

npmRegistries:
  "https://npm.sealsecurity.io":
    npmAlwaysAuth: true
    npmAuthIdent: "$SEAL_PROJECT:$SEAL_TOKEN"

npmRegistryServer: "https://npm.sealsecurity.io"

Check Yarn Path: Ensure yarnPath in the file points to the correct version (e.g., .yarn/releases/yarn-{version}.cjs).

pip

Configure pip to check Seal as an additional registry (extra-index-url).

Option 1: Command Line / CI

Use an environment variable to configure the extra index URL globally for the session.

export PIP_EXTRA_INDEX_URL=https://$SEAL_PROJECT:$SEAL_TOKEN@pypi.sealsecurity.io/simple

Option 2: pip.conf (Global/User config)

[global]
extra-index-url = https://$SEAL_PROJECT:$SEAL_TOKEN@pypi.sealsecurity.io/simple

Option 3: requirements.txt

Add the following line to the top of your requirements.txt file.

--extra-index-url https://$SEAL_PROJECT:$SEAL_TOKEN@pypi.sealsecurity.io/simple

Poetry

Configure the Seal repository in your pyproject.toml or via CLI configuration.

Add Repository:

poetry source add --default seal https://$SEAL_PROJECT:$SEAL_TOKEN@pypi.sealsecurity.io/simple

Usage: Poetry will now query this repository when resolving dependencies.

Maven

We recommend defining the repository in your project's pom.xml and configuring authentication securely via your global settings.xml.

Step 1: Edit pom.xml Open the project's pom.xml file. Add the Seal Security repository inside the <repositories> tag. If the tag doesn't exist, create it. Note: Ensure Seal is the first repository listed.

<repositories>
  <repository>
    <id>seal-security</id>
    <url>https://maven.sealsecurity.io/</url>
    <releases><enabled>true</enabled></releases>
    <snapshots><enabled>false</enabled></snapshots>
  </repository>
</repositories>

Step 2: Edit settings.xml Open your Maven settings file (usually ~/.m2/settings.xml on Unix/Mac or %userprofile%\.m2\settings.xml on Windows). Add a <server> entry to the <servers> section. Important: The <id> must match the repository ID used in Step 1.

<settings>
  <servers>
    <server>
      <id>seal-security</id>
      <username>${env.SEAL_PROJECT}</username>
      <password>${env.SEAL_TOKEN}</password>
    </server>
  </servers>
</settings>

Step 3: Build When building your project, pass the project ID and token as environment variables.

# Make sure SEAL_PROJECT and SEAL_TOKEN are exported in your shell first
SEAL_PROJECT=$SEAL_PROJECT SEAL_TOKEN=$SEAL_TOKEN mvn package

Gradle

Add the Seal repository to your build.gradle file.

repositories {
    maven {
        url "https://maven.sealsecurity.io"
        credentials {
            username = $SEAL_PROJECT
            password = $SEAL_TOKEN
        }
    }
}

The Go repository is managed via the GOPROXY environment variable.

Before building the project or downloading modules, you must set GOPROXY to point to Seal Security. You must embed your Project ID and Token directly into the URL for authentication.

# Replace $SEAL_PROJECT with your Project ID and $SEAL_TOKEN with your token

GOPROXY="https://$SEAL_PROJECT:$SEAL_TOKEN@go.sealsecurity.io,direct" go mod download

Nuget

Add Seal as a package source in your nuget.config file.

<configuration>
  <packageSources>
    <add key="Seal" value="https://nuget.sealsecurity.io/v3/index.json" />
  </packageSources>
  <packageSourceCredentials>
    <Seal>
      <add key="Username" value="%SEAL_PROJECT%" />
      <add key="ClearTextPassword" value="%SEAL_TOKEN%" />
    </Seal>
  </packageSourceCredentials>
</configuration>

Note: Ensure you replace %SEAL_PROJECT% and %SEAL_TOKEN% with appropriate environment variable references or values.

Bundler

Configure Bundler to use Seal Security as a mirror or source.

Gemfile Configuration: You can specify the source directly in your Gemfile:

source "https://#{ENV['SEAL_PROJECT']}:#{ENV['SEAL_TOKEN']}@ruby.sealsecurity.io

Composer (PHP)

Add the Seal repository to your composer.json file and configure authentication in auth.json.

# Configure the repository
composer config repos.packagist composer https://packagist.sealsecurity.io/

# Configure the authentication method
composer config --auth http-basic.packagist.sealsecurity.io $SEAL_PROJECT $SEAL_TOKEN

APK

Download the Seal artifact server public key file:

800B

sealsecurity.rsa.pub

Open

Save the file in /etc/apk/keys/sealsecurity.rsa.pub .
Edit /etc/apk/repositories. Add the Seal repository line at the top:

https://$SEAL_PROJECT:$SEAL_TOKEN@apk.sealsecurity.io/seal/main

APT

Create a file /etc/apt/sources.list.d/seal.list:

deb https://$SEAL_PROJECT:$SEAL_TOKEN@apt.sealsecurity.io/debian/ <distribution> main

YUM

Create a file /etc/yum.repos.d/seal.repo:

[seal-security]
name=Seal
baseurl=https://rpm.sealsecurity.io/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=0
username=$SEAL_PROJECT
password=$SEAL_TOKEN

Scenario B: Using JFrog Artifactory

Use this method if you manage dependencies via JFrog Artifactory.

You will create a Remote Repository in Artifactory that points to the Seal Artifact Server, and then add it to your Virtual Repository. Since Seal proxies upstream traffic, it functions as a fully capable remote source.

Create Remote Repository:
- Package Type: Select the relevant type (npm, PyPI, Maven, Go).
- Repository Key: e.g., seal-npm-remote.
- URL: Enter the Seal Registry URL (e.g., https://npm.sealsecurity.io).
- Authentication:
  - User Name: token (or as specified in the Seal dashboard).
  - Password / Access Token: Paste your Seal Artifact Server Token.
Update Virtual Repository:
- Go to your main Virtual Repository (e.g., npm-virtual).
- Add the new seal-npm-remote repository to the list of aggregated repositories.
- Priority: Ensure the Seal repository is higher in the resolution order than the public repositories (npm, Maven Central) to ensure sealed versions are found.

Scenario C: Other / Manual

Use this method for air-gapped environments or other artifact servers (Nexus, Azure Artifacts) without remote proxy capabilities.

Download: Go to the Seal Protection page, locate the package, and click Download Artifact.
Upload: Manually upload the .tgz, .whl, or .jar file to your private artifact server.

Part 4: How to Apply Fixes

Once the server is configured, you must explicitly update your dependency files to use the sealed versions.

1. npm / yarn / pnpm

Direct Dependency: Update the version in package.json.
```
npm install package-name@1.2.3-sp1
```

Transitive Dependency (Force Resolution):

npm (v8+) / pnpm: Use the overrides field in package.json.

{
  "overrides": {
    "vulnerable-package": "1.2.3-sp1"
  }
}

yarn: Use the resolutions field in package.json.

{
  "resolutions": {
    "vulnerable-package": "1.2.3-sp1"
  }
}

2. Maven

Direct Dependency: Update the <version> tag in your pom.xml.

<dependency>
    <groupId>com.example</groupId>
    <artifactId>vulnerable-lib</artifactId>
    <version>1.2.3-sp1</version>
</dependency>

Transitive Dependency: Use the <dependencyManagement> section in your pom.xml to enforce a version across the entire project.

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.example</groupId>
            <artifactId>transitive-lib</artifactId>
            <version>1.2.3-sp1</version>
        </dependency>
    </dependencies>
</dependencyManagement>

3. Python (pip)

Direct Dependency: Update the line in requirements.txt.
```
vulnerable-package==1.2.3-sp1
```
Transitive Dependency: Add the transitive package explicitly to your requirements.txt to override the sub-dependency resolution.
```
# Explicitly pinning transitive dependency to sealed version
transitive-package==1.2.3-sp1
```

4. Go

Direct Dependency: Get the specific sealed version.

go get [example.com/vulnerable-module@v1.2.3-sp1](https://example.com/vulnerable-module@v1.2.3-sp1)

Transitive Dependency: Use the replace directive in your go.mod file.

replace [example.com/transitive-module](https://example.com/transitive-module) => [example.com/transitive-module](https://example.com/transitive-module) v1.2.3-sp1

    <activeProfile>seal-repo</activeProfile>
  </activeProfiles>
</settings>

4. Go

Add Seal to your GOPROXY list as an additional proxy, prioritizing it before the public proxy.

export GOPROXY=[https://go.sealsecurity.io](https://go.sealsecurity.io),proxy.golang.org,direct

Last updated 13 days ago