ProGet Documentation

Integrating ProGet with Vor Security

You can also check out the Setting up Vor in ProGet video we made with VorSecurity founder and CEO, Ken Duck.

Vulnerability scanning is an important practice in upholding compliance standards and ensuring only safe and secure packages are used in your software development process. Combining vulnerability scanning with package management in your toolchain is a key step for faster development while maintaining DevOps best practices.

Connecting to Vor Security

If you're not a Vor Security user, you'll need to make an account and request a trial license or purchase a professional license. This can be done by visiting https://vorsecurity.com/ and registering an account.

Once logged into Vor Security you can copy the API token.

After retrieving the API token from Vor Security, set it as your Vulnerability Source in ProGet by going to Administration > Manage Vulnerability Sources > Create Vulnerability Source

Note that Vor Security only scans third-party packages for vulnerabilities.

Managing Assessments

ProGet comes with four built-in assessment types: Caution, Blocked, Ignore and Unassessed.

  • Caution - Vulnerabilities that may effect some development project but not all
  • Blocked - Critical Vulnerabilities that do not meet compliance standards
  • Ignore - Minor Vulnerabilities that have little to no impact
  • Unassessed - New Vulnerability found, requires user assessment

You can add any additional assessment types that may be needed. Assessment types allow you to control when vulnerable packages can be used and downloaded which helps to ensure compliance standards are met.

To create a new Assessment type go Administration > Manage Assessment Types > Create Assessment Type

When a vulnerability is detected, it is automatically assigned to the unassessed type, and will require user assessment before being usable.

Feed Level Configuration

Vulnerability sources are scoped at the feed level and can be added on a feed by feed basis. Since Security and Privileges are also scoped at the feed level, you are able to permit and restrict access to who is allowed to assess vulnerabilities.

Go to the feeds tab and select a feed to add the vulnerability source to. Then select Manage Feed > add source

Once the source is added any package vulnerabilities found will be labeled Unassessed, and will be available for assessment.

Note you can also a manually create vulnerability sources to identify and assess in-house packages that have know vulnerabilities.

Assessing Vulnerabilities

After you've added a vulnerability source, any known vulnerabilities will be available for assessment. These are viewed by clicking the Vulnerabilities tab.

Select any of the vulnerabilities listed to view additional details and assign assessment statues. Click assess to select a new assessment type.

Assessments can have a set expiration which will force reassessment. This ensures that compliance needs are continually addressed and that security standards are upheld as development continues.