Remote Configuration

Overview

With this deployment, rules defining which packages are replaced with their sealed version are set on the Seal server using Seal's web interface.

To fix a vulnerability a new rule must be defined through the web interface.

The actual substitution is done by Seal’s CLI, which is integrated in the CI pipeline immediately after the packages are installed (for example npm install). The CLI pulls the instructions from the Seal server, and then replaces the vulnerable packages with the sealed versions accordingly.

Integration

The initial integration requires:

  • Adding Seal's CLI to each CI pipeline. This can be done gradually over time.

Sealing a package

The simplest way to seal a package is through the Protection screen.

Next to the alert regarding the vulnerable package, click on the Seal button.

In the Sealing instructions dialog under the Remote tab you will be able to define a new rule for this package. A local rule will apply only for this projectt, whereas a global rule will apply for all projects.

Once you create a rule sealing the package the vulnerable package will have the green Sealed marking where the Seal button was before (see the first screenshot).

The sealed versions are made to be fully-compatible with the vulnerable ones, so other than fixing the vulnerability there are no side-effects to the substitution. The next time your CI pipeline runs it will incorporate the remediated version instead of the vulnerable one.

Sealing a package using the remote configuration

Unsealing a package

To unseal a package, click on the "..." next to the sealed package's row, and click Unseal package.

In the dialog that pops up you'll be able to delete the rule that sealed this package.

Note that in principle it's possible that more than one rule defines that a certain package will be sealed. For example, you may first have defined to fix [email protected] in a particular project. Then, after encountering the same vulnerable package in a different project, you may have defined the a global rule fixing all instances of [email protected]. This means that there are actually two distinct rules that specify that [email protected] from the first project must be remediated. If that is the situation, you will see more than one rule in the unseal dialog, and you will be able to select if and what rules to delete.

Last updated