Artifact Server Ordering

When using the artifact server deployment, special care must be given to the ordering of the servers in the package manager's configuration.

Keep in mind the following considerations:

1. Seal Security's artifact server automatically redirects downloads of regular packages to the global servers (for example for npm packages it redirects to https://registry.npmjs.org ).

2. Seal Security's artifact server will not redirect downloads to any private artifact server.

3. To provide full visibility of downloaded packages, all download requests must go through Seal Security's artifact server.

Recommended ordering

The following ordering of artifact servers is the recommended configuration:

1. Private server

2. Seal Security's server

With this configuration, the Seal platform has maximum visibility of downloaded packages. Note that the global server need not appear in the list, because downloads of regular packages are redirected there by Seal.

Privacy-focused ordering

The following ordering of artifact servers can provide additional privacy for organizations that do not want to share with Seal Security the list of packages they depend on:

1. Private server

2. Global server

3. Seal Security's server

Note that with this configuration the Seal server is only used when pulling sealed versions, so Seal Security has no visibility of the regular packages downloaded by the organization. Used this way Seal must rely on a connection to the source code repository to provide vulnerability alerts.