Skip to content

Add documentation for Malware Scanning feature #386

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nickxn wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add documentation for Malware Scanning feature #386

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions src/content/supply-chain-security/malware-scanning
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
title: Malware Scanning
---

# Malware Scanning

Malware Scanning automatically checks packages for known malicious content — such as trojans, viruses, and other malware — as they are uploaded to your Cloudsmith repository. It is powered by [ClamAV](https://github.com/Cisco-Talos/clamav) and runs on every uploaded package before it becomes available for download.
Copy link
Copy Markdown
Contributor

@ralph-mcteggart ralph-mcteggart Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would probably remove your/you where we've referenced them


If a threat is detected, the package upload fails at sync with a reason of "malware detected" and the package is not made available in the repository.

If you feel a package has been incorrectly identified as containing malware, please [contact us](https://cloudsmith.com/company/contact-us).

## Malware Scanning vs. Enterprise Policy Management
Copy link
Copy Markdown
Contributor

@ralph-mcteggart ralph-mcteggart Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just policy management throughout, not Enterprise Policy Management


Enterprise Policy Management and the detection of malicious and vulnerable packages are based on security feeds and match to packages pulled from Upstream sources; like, NPMJS, Maven Central, etc.
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The semicolon followed by "like," is grammatically incorrect. Use a comma instead: "...pulled from Upstream sources like NPMJS, Maven Central, etc." or use "such as" instead of "like".

Suggested change
Enterprise Policy Management and the detection of malicious and vulnerable packages are based on security feeds and match to packages pulled from Upstream sources; like, NPMJS, Maven Central, etc.
Enterprise Policy Management and the detection of malicious and vulnerable packages are based on security feeds and match to packages pulled from Upstream sources such as NPMJS, Maven Central, etc.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@ralph-mcteggart ralph-mcteggart Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd probably not capitalise Upstream here

Copy link
Copy Markdown
Contributor

@ralph-mcteggart ralph-mcteggart Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like the match to packages reads funny. The way we've lumped policy management with the detection and then referring to matching there.


EPM is available to customers with our Advanced Securit add-on.
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spelling error: "Securit" should be "Security"

Suggested change
EPM is available to customers with our Advanced Securit add-on.
EPM is available to customers with our Advanced Security add-on.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Contributor

@ralph-mcteggart ralph-mcteggart Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure it's a named feature like that. Policy Management is available to customers with our advanced security capabilities. maybe instead.