ProGet Documentation

Integrating ProGet with Vor Security

You can also check out the Setting up Vor in ProGet video we made with VorSecurity founder, Ken Duck.

The Vor Security extension provides a Vulnerability Source that will automatically import vulnerability reports from various public databases using a Vor Security subscription.

Connecting to Vor Security

If you're not a Vor Security user, you'll need to make an account and request a trial license or purchase a professional license. This can be done by visiting https://vorsecurity.com/ and registering an account.

Once logged into Vor Security you can copy the API token.

After retrieving the API token from Vor Security, set it as your Vulnerability Source in ProGet by going to Administration > Manage Vulnerability Sources > Create Vulnerability Source

Note that Vor Security only scans third-party packages for vulnerabilities.

Create an Assessments

To create a new Assessment type go Administration > Manage Assessment Types > Create Assessment Type

When a vulnerability is detected, it is automatically assigned to the unassessed type, and will require user assessment before being usable.

Feed Level Configuration

Vulnerability sources are scoped at the feed level and can be added on a feed by feed basis. Since Security and Privileges are also scoped at the feed level, you are able to permit and restrict access to who is allowed to assess vulnerabilities.

Go to the feeds tab and select a feed to add the vulnerability source to. Then select Manage Feed > add source

Once the source is added, any package vulnerabilities found will be labeled Unassessed, and will be available for assessment.

Assessing Vulnerabilities

After you've added a vulnerability source, any known vulnerabilities will be available for assessment. These are viewed by clicking the Vulnerabilities tab.

Select any of the vulnerabilities listed to view additional details and assign assessment status. Click assess to select a new assessment type.

Assessments can have a set expiration which will force reassessment. This ensures that compliance needs are continually addressed and that security standards are upheld as development continues.