User Guide
  • Fundamentals
    • Quick Start Guide
      • Signing Up
      • Package Discovery
        • Connecting to GitHub
        • Connecting to GitLab
        • Connecting to Azure DevOps
        • Connecting to the CI Pipeline
        • Connecting to the Artifact Server
      • Package Sealing
        • Integrating the CLI in the CI
        • Editing Dependencies
    • Deployments
      • Choosing Your Deployment
      • Automatic Remediation
      • Remote Configuration
      • Local Configuration
      • Artifact Server
    • CLI
      • Download and Installation
      • Scanning
      • Fixing All Dependencies
      • Fixing Specific Dependencies
      • Fixing OS Vulnerabilities
      • Integrating with the CI
      • Uploading Scan Results
      • Commands
      • SCA Integrations
      • JFrog Integration
      • Usage Examples
        • Sealing Application Dependencies
        • Sealing Linux Environments
    • Artifact Server
      • Generating a Token
      • Artifact Server Ordering
      • Configuring the Package Manager
        • Configuring apk
        • Configuring Composer
        • Configuring Go
        • Configuring Gradle
        • Configuring Maven
        • Configuring npm
        • Configuring pip
        • Configuring Poetry
        • Configuring yarn
        • Configuring yum
      • Clearing the Cache
      • Editing Your Dependencies
    • Web Interface
      • Rules Screen
  • APIs
    • List Vulnerable Packages
  • FAQ
  • Vulnerability Disclosure
Powered by GitBook
On this page
  • Snyk integration
  • Black Duck integration
  • GitHub Advanced Security & Dependabot integration
  1. Fundamentals
  2. CLI

SCA Integrations

PreviousCommandsNextJFrog Integration

Last updated 21 days ago

When Seal Security releases a remediated version, the version string is usually the original version with some suffix, usually -sp1 or +sp1. For example, ejs@2.7.4 would become ejs@2.7.4-sp1.

Different SCA tools treat these versions differently. Some scanners no longer show the vulnerability alerts for these versions, while some continue to recognize these versions as affected. For some scanners the behavior is actually ecosystem specific.

To avoid the false positives the Seal CLI integrates with various SCA tools. When the integration is operative, the Seal CLI will mark the remediated vulnerabilities in the sealed package as remediated, if possible with a message saying it was remediated by Seal Security.

Vulnerabilities that were not remediated in the sealed version would continue to appear in the alerts, as will new vulnerabilities that are discovered later on and haven't been patched in the existing sealed version.

Snyk integration

There are two types of Snyk integrations -

  1. Using the Snyk API - best for the deployment.

  2. Using the Snyk policy files - best for the deployment.

Snyk API integration

This integration with Snyk leverages the Snyk API.

To setup the integration just define the following environment variables:

SEAL_SNYK_URL = <Snyk server's URL> (by default "https://api.snyk.io")
SEAL_SNYK_TOKEN = <Snyk access token>
SEAL_SNYK_ORG_ID = <ID of your Snyk organization>
SEAL_SNYK_PROJECT_ID = <ID of the Snyk project that is scanned>

You can also define them in the .seal-config.yml file at the root of your project:

snyk:
  url: <Snyk server's URL> (by default "https://api.snyk.io")
  token: <Snyk access token>        
  org-id: <ID of your Snyk organization>
  project-id: <ID of the Snyk project that is scanned>

You can find or create a token to Snyk under Organization -> Settings -> Service accounts. Org Collaborator permissions are sufficient.

You can find the Snyk organization ID under Organization -> Settings -> General -> Organization ID.

You can find the Snyk project ID under Organization -> Projects -> specific project -> Settings -> Project ID.

Snyk policy files integration

This integration with Snyk leverages the the .snyk policy files, typically located in the project root. Since the integration requires access to the source files, it can only be used together with the --generate-local-config flag.

To apply the integration run:

seal scan --generate-local-config --generate-snyk-policy

It will cause the Seal tool to generate or update the appropriate .snyk file, so the Snyk scanner will be notified of the vulnerabilities fixed by Seal.

Black Duck integration

The integration with Black Duck uses its API.

To setup the integration just define the following environment variables:

SEAL_BLACKDUCK_URL = <Black Duck server's URL>
SEAL_BLACKDUCK_TOKEN = <Black Duck access token>
SEAL_BLACKDUCK_PROJECT = <Name of the project on Black Duck>
SEAL_BLACKDUCK_PROJECT_VERSION_NAME = <Git branch that is scanned>

You can also define them in the .seal-config.yml file at the root of your project:

blackduck:
  url: <Black Duck server's URL>
  token: <Black Duck access token>        
  project-name: <Name of the project on Black Duck>
  project-version-name: <Git branch that is scanned>

GitHub Advanced Security & Dependabot integration

The integration with GitHub Advanced Security leverages the Dependabot API.

To setup the integration define the following environment variables:

SEAL_DEPENDABOT_URL = <Dependabot server's URL>
SEAL_DEPENDABOT_TOKEN = <Dependabot access token>
SEAL_DEPENDABOT_OWNER = <Name of the GitHub organization>
SEAL_DEPENDABOT_REPO = <Name of the GitHub repository>

You can also define them in the .seal-config.yml file at the root of your project:

dependabot:
  url: <Optional URL for Dependabot's server, if not using public GitHub>
  token: <Dependabot access token>        
  owner: <Name of the GitHub organization>
  repo: <Name of the GitHub repository>

Note that as Dependabot creates a single alert for different vulnerable versions of the same package, if your project is afflicted by more than one vulnerable version of the same package (which is only possible in certain ecosystems), Seal will resolve the alert only if all vulnerable versions were sealed.

Remote Configuration
Local Configuration