Live Package Usage Scanning vs. Tracking Package Deployments
by Olivia Glenn-Han, on Jul 14, 2020 1:46:59 PM
Many ProGet users already know and love the Tracking Package Deployments feature of ProGet. A feature new to ProGet 5.3 is Live Package Usage Scanning. These features both add additional value to ProGet by increasing end-to-end visibility, but they are distinct features. They're basically two sides of the same coin.
What is Tracking Package Deployments?
The Tracking Package Deployments feature allows ProGet to communicate with a deployment tool like BuildMaster (or OctopusDeploy or another tool added by the API), recording information to package data lists about packages deployed from a feed. This feature records where a package was deployed to, when, and by what tool, giving a package-centered view of deployments.
Not only is this great for auditing purposes, but it also allows you to find vulnerable servers more quickly when a known vulnerability is identified: Referencing this list, you see all the servers running that specific package so you can make a quick update.
Because these records are automatically recorded from BuildMaster and OctopusDeploy, you save time. But the API makes it easy to add another deployment tool from which ProGet will record deployments.
It's possible to use Tracking Package Deployments to record package usage data with manual entries. But with the new Live Package Usage Scanning feature, that's not the best way to do it.
What is Live Package Usage Scanning?
Although ProGet 5.3 focused particular attention on adding a ton of Docker container support features, this ProGet release also added some new features and functions for packages, including Live Package Usage Scanning. This feature is available for the System & Software Configuration feed types currently supported in ProGet (i.e., Chocolatey, PowerShell, rpm, Debian, and UPack).
This new feature lets your ProGet instance "speak" to your Otter setup to scan and display which packages are deployed to which servers, letting you know on which servers packages are currently installed (or if they have been removed).
This not only saves time by easily identifying what package version is being used where but also allows you to quickly find a server made vulnerable by an identified package vulnerability. Sound familiar? We designed this feature to give ProGet users yet another way to have end-to-end visibility into where packages are being used in your organization.
Paid editions of ProGet can use this feature automatically, but Free users can still take advantage of it by adding manual records.
Try It Yourself
See the value of Live Package Usage Scanning and Tracking Package Deployments at your own organization: Get a license key for the free-forever version or a 30-day Enterprise free trial version of ProGet, BuildMaster, and Otter through MyInedo.