SCA Integrations

When Seal Security releases a remediated version, the version string is usually the original version with some suffix, usually -sp1 or +sp1. For example, ejs@2.7.4 would become ejs@2.7.4-sp1.

Different SCA tools treat these versions differently. Some scanners no longer show the vulnerability alerts for these versions, while some continue to recognize these versions as affected. For some scanners the behavior is actually ecosystem specific.

To avoid the false positives the Seal CLI integrates with various SCA tools. When the integration is operative, the Seal CLI will mark the remediated vulnerabilities in the sealed package as remediated, if possible with a message saying it was remediated by Seal Security.

Vulnerabilities that were not remediated in the sealed version would continue to appear in the alerts, as will new vulnerabilities that are discovered later on and haven't been patched in the existing sealed version.

Snyk integration

The integration with Snyk leverages the the .snyk policy files, typically located in the project root. Since the integration requires access to the source files, it can only be used together with the --generate-local-config flag.

To apply the integration run:

seal scan --generate-local-config --generate-snyk-policy

It will cause the Seal tool to generate or update the appropriate .snyk file, so the Snyk scanner will be notified of the vulnerabilities fixed by Seal.

Black Duck integration

The integration with Black Duck uses its API.

To setup the integration just define the following environment variables:

SEAL_BLACKDUCK_URL = <Black Duck server's URL>
SEAL_BLACKDUCK_TOKEN = <Black Duck access token>
SEAL_BLACKDUCK_PROJECT = <Name of the project on Black Duck>
SEAL_BLACKDUCK_PROJECT_VERSION_NAME = <Git branch that is scanned>

You can also define them in the .seal-config.yml file at the root of your project:

blackduck:
  url: <Black Duck server's URL>
  token: <Black Duck access token>        
  project-name: <Name of the project on Black Duck>
  project-version-name: <Git branch that is scanned>

GitHub Advanced Security & Dependabot integration

The integration with GitHub Advanced Security leverages the Dependabot API.

To setup the integration define the following environment variables:

SEAL_DEPENDABOT_URL = <Dependabot server's URL>
SEAL_DEPENDABOT_TOKEN = <Dependabot access token>
SEAL_DEPENDABOT_OWNER = <Name of the GitHub organization>
SEAL_DEPENDABOT_REPO = <Name of the GitHub repository>

You can also define them in the .seal-config.yml file at the root of your project:

dependabot:
  url: <Optional URL for Dependabot's server, if not using public GitHub>
  token: <Dependabot access token>        
  owner: <Name of the GitHub organization>
  repo: <Name of the GitHub repository>

Note that as Dependabot creates a single alert for different vulnerable versions of the same package, if your project is afflicted by more than one vulnerable version of the same package (which is only possible in certain ecosystems), Seal will resolve the alert only if all vulnerable versions were sealed.

PreviousUsing the CLI with JFrogNextArtifact Server

Last updated