Vulnerability scanning is an important practice in upholding compliance standards and ensuring only safe and secure packages are used in your software development process. ProGet's integration with vulnerability scanning tools provides awareness of packages with weak or vulnerable components.
This feature is available in paid and trial ProGet editions.
ProGet has an integration with Vor Security as a vulnerability source. Vor Security pulls data from The National Vulnerability Database and scans your third-party packages for known security risks. When risks are detected, they're displayed in the UI via the Vulnerability tab.
For step-by-step instructions on how to configure Vor Security as your source, visit the tutorial here.
ProGet comes with four built-in assessment types: Caution, Blocked, Ignore and Unassessed.
These assessment types may be edited and additional types can be added depending on your specific organizational needs.
When a vulnerability is found, it will require assessment in order to be downloaded and used.