User Guide
  • Fundamentals
    • Quick Start Guide
      • Signing Up
      • Package Discovery
        • Connecting to GitHub
        • Connecting to GitLab
        • Connecting to Azure DevOps
        • Connecting to the CI Pipeline
        • Connecting to the Artifact Server
      • Package Sealing
        • Integrating the CLI in the CI
        • Editing Dependencies
    • Deployments
      • Choosing Your Deployment
      • Automatic Remediation
      • Remote Configuration
      • Local Configuration
      • Artifact Server
    • CLI
      • Download and Installation
      • Scanning
      • Fixing All Dependencies
      • Fixing Specific Dependencies
      • Fixing OS Vulnerabilities
      • Integrating with the CI
      • Uploading Scan Results
      • Commands
      • SCA Integrations
      • JFrog Integration
      • Usage Examples
        • Sealing Application Dependencies
        • Sealing Linux Environments
    • Artifact Server
      • Generating a Token
      • Artifact Server Ordering
      • Configuring the Package Manager
        • Configuring apk
        • Configuring Composer
        • Configuring Go
        • Configuring Gradle
        • Configuring Maven
        • Configuring npm
        • Configuring pip
        • Configuring Poetry
        • Configuring yarn
        • Configuring yum
      • Clearing the Cache
      • Editing Your Dependencies
    • Web Interface
      • Rules Screen
  • FAQ
  • Vulnerability Disclosure
Powered by GitBook
On this page
  1. Fundamentals
  2. Quick Start Guide

Package Discovery

PreviousSigning UpNextConnecting to GitHub

Last updated 5 months ago

The first thing we need to do is discover what vulnerable packages are currently in use. In the onboarding screen you will have the option to connect the Seal platform to your source control.

Package discovery can be done in three main ways:

  1. If you're using , or , you can connect the Seal platform to your repositories. Seal's app will then scan your project dependencies and identify the vulnerable packages. To proceed with this setup click on the relevant Import button in the onboarding screen, and follow the appropriate source control specific instructions.

  2. However, if you're not using one of the supported source controls, or prefer not to give Seal read access to your repositories, you may instead integrate the Seal CLI as , and have it report home its scan results. To proceed with this setup click Skip.

  3. Lastly, if you also prefer not to run the Seal CLI as part of your CI pipeline, you may instead . With this configuration, Seal will identify the vulnerable packages you're pulling from the server. To proceed with this setup click Skip.

It's highly recommended to use the Seal app if possible, as it provides the best coverage and gives a clear picture of your vulnerable dependencies at all time. If that's problematic then having the CLI report back is also a good integration. The artifact server integration is discouraged, because due to caching issues Seal will have very limited visibility as to what version you're actually running.

Source control
CI pipeline
Artifact server

Coverage

Any vulnerable dependency

Any vulnerable dependency

Only packages that are pulled from the Seal server

Update frequency

Always up-to-date

Only when the project is built

Only when the project is built

Minimal permissions

Read for your projects

Execution in your CI pipeline

None

Alerts marked as fixed

Automatically

Automatic only if using the Remote Configuration

Manually through the UI

GitHub
GitLab
Azure DevOps
part of your CI pipeline
configure Seal as your artifact server