Set up custom package repositories

Learn how to configure custom package repositories for dependency resolution.

Suppose your software components are private and are hosted in an internal package repository. In that case, you must provide authentication credentials to the registry, to create a complete bill of materials or perform static analysis.

You must set up custom package repositories if:

  • Your software package isn’t scanned as part of a post-build or install step
  • You are using the Endor Labs GitHub App
  • you are implementing scans across your environment for quick visibility
  • Authentication information to your private package repository is hosted outside of the repository

If your software components are private and hosted in AWS CodeArtifact, set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. See Configure package manager integrations with AWS.

You can authenticate to private package artifact repositories using mutual TLS. See mTLS authentication to learn how to set up and authenticate.

The following support matrix details support for package manager integrations:

Language Ecosystem Support mTLS
Java Maven (mvn://)
JavaScript npm (npm://)
Python PyPI (pypi://)
.NET/C# NuGet (nuget://)
Swift Swift (swift://)
Ruby Gem (gem://)
PHP Composer (composer://)
Gradle Gradle Properties Supported through API

Package manager integrations allow you to set the priority of each package repository used by a package manager in your tenant namespace. This defines the location from which a package manager looks when it attempts to resolve dependencies for a software package.

To change the package manager integration priority:

  1. Click and hold the integration you would like to change the priority of.
  2. Drag the integration to the priority spot that is most frequently used by your organization.