Download all nupkg packages for vulnerability scan

We are looking into doing vulnerability scans of our deployment packages in an efficient and pragmatic way. The idea is to download the latest version of all our deployment packages from the Octopus feed (or even more efficient, a delta) and let Nessus scan the files for vulnerabilities. Anyone got input on how to bulk download the latest version of each package in the internal nuget feed?

Hi Jasper,

Thank you for contacting Octopus Support.

Packages in the internal feed are located in the \Packages subdirectory of your Home directory, separated by Space. I would recommend scanning the files directly.

Let me know if you have any additional questions.

Regards,
Donny

Hi Donny,
That could be a possibility. In this case, I would have to filter out the newest version of each package manually, but still an ok approach.

Is there no way to query the NuGet feed directly?

Hi Jasper,

Thank you for getting back to me.

You may query the built-in feed for the latest package via the API with:
/api/Spaces-x/packages?filter=&latest=true&take=500

You may replace the '500" with the number of different packages

You can then combine that with the following to download the packages:

Let me know what you think.

Regards,
Donny

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.