Find vulnerabilities (Web UI)

This tutorial aims to show you how to integrate VulnerableCode with and how to discover vulnerable packages using the find_vulnerabilities pipeline.


This tutorial assumes that you have a working installation of If you don’t, please refer to the Installation page.

Configure VulnerableCode integration


The find_vulnerabilities pipeline requires access to a VulnerableCode database.

You have the option to either deploy your instance of VulnerableCode or connect to the public instance.

To configure your local environment, set the VULNERABLECODE_URL in your .env file:


Restarting the services is required following any changes to .env:

docker compose restart web worker

Run the find_vulnerabilities pipeline

Open any of your existing projects containing a few detected packages.


If you do not have any projects available, please start with this tutorial: Analyze Docker Image (Web UI)

  • Click on the “Add pipeline” button and select the “find_vulnerabilities” pipeline from the dropdown list. Check the “Execute pipeline now” option and validate with the “Add pipeline” button.

  • Once the pipeline run completes with success, you can reach the Packages list view by clicking the count number under the “PACKAGES” header:

  • A red bug icon is displayed next to all packages for which declared vulnerabilities were found:

  • Click red bug icon to reach the vulnerability details for this package: