Supply Chain Security
Continuous Security
Continuous Security is a feature that provides an hourly feed of vulnerability and malicious package data from multiple sources (see refresh intervals for each source). Whenever vulnerabilities or malicious packages are published or modified, we match them to artifacts in your Cloudsmith repositories. This enables faster identification of affected artifacts compared to scheduled or on-demand vulnerability scanning.
Early Access
Continuous Security is in Early Access (EA) as part of the Cloudsmith's Enterprise Policy Manager feature.
Vulnerability Scanning vs. Continuous Security
Vulnerability Scanning
Cloudsmith scans artifacts as they are introduced into a repository for the first time. This scan analyzes the components of a package and then checks for vulnerabilities associated with them, which are listed in a vulnerability report. Note that when new vulnerabilities are disclosed, any existing report for impacted artifacts won’t flag them; a re-scan will be required to get the most up-to-date information.
Continuous Security
EPM Required
Continuous Security is only available for Cloudsmith workspaces where Enterprise Policy Manager (EPM) has been enabled.
Continuous Security matches the software artifacts in your Repository with vulnerability data from several sources. Unlike Vulnerability Scanning, Continuous Security responds automatically in real time as vulnerabilities are reported or modified in those sources, with no manual effort required. Whenever a threat that affects an artifact in your workspace is detected, Continuous Security triggers EPM policy evaluation, with the vulnerability data included in the policy input.
For more information about using EPM to address vulnerabilities identified by Continuous Security, see Getting Started with Enterprise Policy Manager and Rego Recipes.
Details of the specific vulnerability data available via Continuous Security are available in our API documentation under the vulnerabilities object in the PolicyInputV0 schema.
Data Sources
Continuous Security uses the following data sources:
| Source | Refresh Interval |
|---|---|
| Common Vulnerabilities and Exposures (CVE) databases aggregated in Aqua Trivy DB | 6 hours |
| Exploit Prediction Scoring System (EPSS) | 24 hours |
| Vulnerabilities and Malicious Packages from the Open Source Vulnerability DB (OSV) | 1 hour |
Supported Formats
Continuous Security is available for all package formats supported by Cloudsmith’s Vulnerability Scanning feature.
