Security scans on snap packages

Hi everyone, we are an open-source project and look into ways to use the Ubuntu store to deliver our application as a snap package. I have a question regarding security and vulnerability reports. Is there a mechanism in the Ubuntu store or as an external tool to scan snap packages for security vulnerabilities in a similar way as cvescan does for deb packages or Snyk for container images? The main topic here is giving our users a transparent way to a) validate what they run in production and b) how does it affect their security. I couldn’t really find something like this, maybe I don’t have enough Google-fu :slight_smile: Any hints would be welcome and thank you in advance.

if you maintain a snap in the store the store itself actually scans your snap regularly and will email you with a notification if a vulnerability in a shipped deb package is found … this indeed only works for debs from the archive that are included as dependencies etc … for things you build from source you might have to set up your own tool …

the store scan tool is also available as a snap so you can run it at home: