On-Prem Vulnerability Database Updates

Keep your on-premises vulnerability database current with over-the-air updates from FOSSA's vulnerability feed.

3 min readUpdated Jul 9, 2026

Enterprise feature

Access to FOSSA's vulnerability feed is governed by your contract. Confirm with your FOSSA account team before enabling updates.

Overview

When FOSSA runs on-premises, its vulnerability database lives in your own environment. The over-the-air (OTA) updater keeps that database current by periodically pulling the latest data from FOSSA's vulnerability feed at vulns.fossa.com. This page explains how the updater works and how to enable and monitor it.

Warning

The updater authenticates to the feed with a Vulnerability Service API token (a token ID and secret), which is separate from your main FOSSA API token. See Vulnerability Service API Token Provisioning to request one.

How the updater works

  • The updater runs inside your cluster as a Kubernetes CronJob (onprem-vulns-updater).
  • It polls FOSSA's vulnerability feed once per hour, but only downloads a new snapshot when FOSSA has published new data, so most runs are no-ops. FOSSA publishes new data roughly daily.
  • Enabling the updater also turns on the Security product in your installation and runs a vulnerability database migration as part of your next Helm upgrade.
  • The updater only pulls vulnerability intelligence into your instance; your proprietary code and scan results never leave your network. See the Architecture Overview for how outbound connections are scoped.

Enabling OTA updates

  1. 1

    Locate the vulns configuration

    In your Helm values, the vulnerability updater is disabled by default:

    YAML
    vulns:  # URL of the FOSSA Vulns update service.  host: https://vulns.fossa.com   # Provided by FOSSA to authenticate your installation to the update service.  auth:    id: ""    secret: ""   updater:    enabled: false
  2. 2

    Add your credentials and enable the updater

    Set updater.enabled to true and fill in the token ID and secret provisioned by FOSSA:

    YAML
    vulns:  host: https://vulns.fossa.com   auth:    id: "<provisioned key ID>"    secret: "<provisioned key secret>"   updater:    enabled: true

    Warning

    host and auth sit directly under vulns:, not nested inside updater:. The updater requires vulns.auth.id and vulns.auth.secret to be set.

  3. 3

    Apply the change

    Run helm upgrade to apply the updated values. The updater runs on a schedule, so it may not run immediately, the first update typically lands within an hour.

Monitoring updates

Once enabled, the updater runs unattended; no further action is needed. To confirm updates are landing, check the status of the onprem-vulns-updater CronJob, or query the database for the time elapsed since the last successful update:

SQL
SELECT (now() - (SELECT "createdAt" FROM "VulnMigrations" ORDER BY id DESC LIMIT 1))-- example: 0 years 0 mons 0 days 4 hours 23 mins 9.114582 secs

Required network egress

If your cluster sits behind a firewall, allow outbound access to FOSSA's vulnerability feed and its file storage. See IP Space Allowlisting for the exact hosts and IP ranges.

FAQ

How often does the updater run? It polls hourly, but only downloads data when FOSSA has published a new snapshot, so you'll typically see roughly one new update per day.

Can I update vulnerabilities in an air-gapped environment? If your installation cannot reach vulns.fossa.com, you can pull the dataset manually instead. See Vulnerability Snapshot Downloads, and ask your FOSSA account team about an offline import path.

Do I need to enable anything else to use vulnerability data? No. Enabling the updater automatically turns on the Security product in your installation.

© 2026 FOSSA, Inc.support@fossa.com