# Artifact server In artifact server mode, the Seal Platform learns about your packages indirectly: by recording what your build pulls through the Seal Artifact Server. There is no source-side or CI-side scan; the only signal Seal sees is the act of pulling. A Seal Project is in artifact server mode only if it is not also connected to source control and the Seal CLI does not run against it. The moment either of those happens, the project promotes to a more reliable mode and the artifact-server signal stops being recorded. ## What it sees What Seal sees in artifact server mode depends on how you configure the Seal Artifact Server in your package manager. **As your primary or first-lookup remote.** When your package manager looks at the Seal Artifact Server first for every package, the Seal Artifact Server proxies the requests it cannot fulfill to the public registries (the npm public registry, Maven Central, PyPi, and so on) and serves sealed packages directly when one applies. In this configuration, Seal sees every package your build asks for, vulnerable origin versions included, not just the sealed versions you have already replaced. **As a secondary or fallback remote.** When your package manager only consults the Seal Artifact Server for the specific sealed packages it has been told to fetch from there, Seal sees only those sealed-version requests. Vulnerable origin versions your build still pulls from the public registries are invisible to Seal. In both configurations, the picture builds up as your build runs over time. It never represents the latest commit; it represents what has been requested so far. ### Caching Caching makes the picture more indeterminate. If your CI runners cache packages locally or your organization runs an internal artifact-server cache between your build and the Seal Artifact Server, the cache fulfills requests that would otherwise reach Seal. In that case Seal might see a package pulled once, on the first build that needed it, and then never see it again, even if every subsequent build still depends on it. Seal cannot tell from the artifact-server stream whether a package is still in use, abandoned, or in use across multiple Seal Projects whose builds happen to share a cache. ### One package, multiple versions in the same project Some package managers (npm in particular) allow the same project to use both a sealed version and the vulnerable origin version of the same package at the same time. Artifact server mode cannot tell these apart. The last pulled version of a given package wins: if the last pull was the sealed version, Seal records the package as sealed across the project; if the last pull was a vulnerable origin version, Seal records it as vulnerable across the project. Other discovery modes work from the manifest and do not have this problem. For ongoing remediation, the higher-reliability modes (CLI or source code) avoid this entire class of indeterminacy. ## What Seal needs Your package manager configured to use the Seal Artifact Server, with a [token](/new-documentation/new-docs/tokens.md) for authentication. No source-control connection and no CLI integration. ## When to choose this mode * The Seal CLI cannot run in your build (for example, when a vendor or another team owns the pipeline) but your package manager can be pointed at the Seal Artifact Server. * You operate the Artifact Server [deployment method](https://github.com/seal-community/gitbook/blob/main/new-docs/setup-apps-os/choosing-deployment-method.md) and want the discovery side to align with it. ## Setting it up A Seal Project enters artifact server mode automatically the first time your build pulls a sealed package authenticated as that project. To configure your package manager and tokens, see [Configuring the Seal Artifact Server for discovery](/new-documentation/new-docs/artifact-server-discovery.md). ## Related * [Configuring the Seal Artifact Server for discovery](/new-documentation/new-docs/artifact-server-discovery.md): how to set up your package manager and tokens. * [How Seal discovers your packages](/new-documentation/new-docs/how-seal-discovers-your-packages.md): how artifact server mode compares to the other three. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sealsecurity.io/new-documentation/new-docs/package-discovery-mode/artifact-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.