# Package Discovery

The first thing we need to do is discover what vulnerable packages are currently in use. In the onboarding screen you will have the option to connect the Seal platform to your source control.

Package discovery can be done in three main ways:

1. If you're using [GitHub](https://docs.sealsecurity.io/fundamentals/readme/package-discovery/connecting-to-github), [GitLab](https://docs.sealsecurity.io/fundamentals/readme/package-discovery/connecting-to-gitlab) or [Azure DevOps](https://docs.sealsecurity.io/fundamentals/readme/package-discovery/connecting-to-azure-devops), you can connect the Seal platform to your repositories. Seal's app will then scan your project dependencies and identify the vulnerable packages. To proceed with this setup click on the relevant Import button in the onboarding screen, and follow the appropriate source control specific instructions.
2. However, if you're not using one of the supported source controls, or prefer not to give Seal read access to your repositories, you may instead integrate the Seal CLI as [part of your CI pipeline](https://docs.sealsecurity.io/fundamentals/readme/package-discovery/connecting-to-the-ci-pipeline), and have it report home its scan results. To proceed with this setup click **Skip**.
3. Lastly, if you also prefer not to run the Seal CLI as part of your CI pipeline, you may instead [configure Seal as your artifact server](https://docs.sealsecurity.io/fundamentals/readme/package-discovery/connecting-to-the-artifact-server). With this configuration, Seal will identify the vulnerable packages you're pulling from the server. To proceed with this setup click **Skip**.

**It's highly recommended to use the Seal app if possible**, as it provides the best coverage and gives a clear picture of your vulnerable dependencies at all time. If that's problematic then having the CLI report back is also a good integration. The artifact server integration is discouraged, because due to caching issues Seal will have very limited visibility as to what version you're actually running.

<table><thead><tr><th width="172"></th><th width="174">Source control</th><th>CI pipeline</th><th>Artifact server</th></tr></thead><tbody><tr><td><strong>Coverage</strong></td><td>Any vulnerable dependency</td><td>Any vulnerable dependency</td><td>Only packages that are pulled from the Seal server</td></tr><tr><td><strong>Update frequency</strong></td><td>Always up-to-date</td><td>Only when the project is built</td><td>Only when the project is built</td></tr><tr><td><strong>Minimal permissions</strong></td><td>Read for your projects</td><td>Execution in your CI pipeline</td><td>None</td></tr><tr><td><strong>Alerts marked as fixed</strong></td><td>Automatically</td><td>Automatic only if using the Remote Configuration</td><td>Manually through the UI</td></tr></tbody></table>