ProGet Documentation


Vulnerability scanning is an important practice in upholding compliance standards and ensuring only safe and secure packages are used in your software development process. ProGet's integration with vulnerability scanning tools provides awareness of packages with weak or vulnerable components.

This feature is available in paid and trial ProGet editions.

Vulnerability Scanning Third-Party Sources

ProGet has an integration with Vor Security as a vulnerability source. Vor Security pulls data from The National Vulnerability Database and scans your third-party packages for known security risks. When risks are detected, they're displayed in the UI via the Vulnerability tab.

assessing a vulnerability

For step-by-step instructions on how to configure Vor Security as your source, visit the tutorial here. Or, check out the Setting up Vor in ProGet video we made with VorSecurity founder and CEO, Ken Duck.

Vulnerability assessment types

ProGet comes with four built-in assessment types: Caution, Blocked, Ignore and Unassessed.

  • Caution - Vulnerabilities that may effect some development project but not all
  • Blocked - Critical Vulnerabilities that do not meet compliance standards
  • Ignore - Minor Vulnerabilities that have little to no impact
  • Unassessed - New vulnerability found, requires user assessment
adding vulnerability source

These assessment types may be edited and additional types can be added depending on your specific organizational needs.

When a vulnerability is found, it will require assessment in order to be downloaded and used.

More on this topic: