Set up custom package repositories

Learn how to configure custom package repositories for dependency resolution.

Suppose your software components are private and are hosted in an internal package repository. In that case, you must provide authentication credentials to the registry, to create a complete bill of materials or perform static analysis.

You must set up custom package repositories if:

  • Your software package isn’t scanned as part of a post-build or install step
  • You are using the Endor Labs GitHub App
  • you are implementing scans across your environment for quick visibility
  • Authentication information to your private package repository is hosted outside of the repository

If your software components are private and hosted in AWS CodeArtifact, set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. See Configure package manager integrations with AWS.

Configure package manager integrations

Endor Labs integrates with your self-hosted package repositories and source control systems to give you visibility into your environment. Package manager integrations allow users to simplify scanning using custom repositories.

Endor Labs generally respects package authentication and configuration settings and a package manager integration is usually not required to scan private packages successfully.

  • Use package manager integrations to simplify scanning when authentication to private repositories is not part of standard manifest or settings files.

  • Package manager integrations allow you to set custom registries for each package ecosystem and the priority of each registry for scanning.

To set up a package manager integration:

  1. Under Manage, select Integrations.
  2. Select the package manager configuration you’d like to customize and click Connect
  3. In the upper right-hand corner, select Add Package Manager.
  4. Enter the credentials for the registry such as a package manager URL.
  5. Click Authenticate to this registry to check if the package registry is accessible.
  6. Select Add Package Manager.

If you would like to delete a package manager integration, click the trash can icon at the far right of the integration.

Change package manager integration priority

Package manager integrations allow you to set the priority of each package registry used by a package managers in your tenant namespace. This defines the location from which a package manager looks when it attempts to resolve dependencies for a software package.

To change the package manager integration priority:

  1. Click and hold the integration you would like to change the priority of.
  2. Drag the integration to the priority spot that is most frequently used by your organization.

Package manager integrations

The following support matrix details support for package manager integrations:

Language Ecosystem Supported
Java Maven (mvn://) Supported
JavaScript npm (npm://) Supported
Python PyPI (pypi://) Supported
Ruby Gem (gem://) Supported
PHP Composer (composer://) Supported
.NET/C# nuget (nuget://) Supported
Gradle Gradle properties Supported through API

Private package manager integration for Gradle

You can configure private package manager integration with Gradle to authenticate and fetch dependencies from private repositories during scans.

Gradle requires valid credentials, such as AWS access keys and GitHub or GitLab tokens, to access private repositories and fetch dependencies. Provide these credentials through the endorctl API call for GitHub App scans to run successfully.

The variable names you define (like mavenAccessKey, mavenSecretKey) must exactly match the property names used inside your build.gradle file when configuring credentials. For more information on how to align variable names with your build configuration, refer to Declaring private repositories.

Set Gradle credentials

Use endorctl to configure your repository credentials. You can set the necessary Gradle properties, allowing access to private repositories during the Gradle build process.

For example, to authenticate with an AWS S3-backed Maven repository, run the following commands to set the mavenAccessKey and mavenSecretKey properties. Replace namespace with your namespace.

endorctl api create -n <namespace> -r PackageManager -d '{
    "meta": {
        "name": "gradle properties"
    },
    "spec": {
        "gradle": {
            "property_key_name": "mavenAccessKey",
            "property_key_value": "your-access-key"
        }
    }
}'
endorctl api create -n <namespace> -r PackageManager -d '{
    "meta": {
        "name": "gradle properties"
    },
    "spec": {
        "gradle": {
            "property_key_name": "mavenSecretKey",
            "property_key_value": "your-secret-key"
        }
    }
}'

These credentials will then be available to your Gradle build at scan time. All values configured via the API are automatically exported as environment variables.

Considerations

When configuring Gradle credentials, consider the following scenarios:

AWS credentials with scan profile

If a scan profile is linked to your project, AWS credentials are directly written into ~/.gradle/gradle.properties and require exact key matches. You can use one of the following combinations:

  • AWS_ACCESS_KEY and AWS_SECRET_KEY
  • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
Authenticate using mutual TLS

Use mutual TLS to securely authenticate to artifact repositories. Currently, mutual TLS can only be configured via the API. Perform the following steps to configure mutual TLS:

  1. Extract the client certificate and client key

    Run the following command to extract the client certificate in the Privacy Enhanced Mail (PEM) format.

    openssl pkcs12 -in nexus-repo-srv.endorlabs.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client.crt
    

    Run the following command to extract the client key in the Privacy Enhanced Mail (PEM) format:

    openssl pkcs12 -in nexus-repo-srv.endorlabs.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > client.key
    

    Ensure you have your PKCS12 certificate and its password ready. When prompted, enter the password.

  2. Format client certificate and client key as json

    Run the following command to format the client certificate as json :

    awk '{printf "%s\\n", $0}' client.crt
    

    Run the following command to format the client key as json:

    awk '{printf "%s\\n", $0}' client.key
    
  3. Create the package manager resource

    After generating the client certificate and client key, create a package manager resource using the following command. Replace namespace with your namespace:

    endorctl api create -n <namespace> -r packageManager -d '{
        "meta": {
            "name": "test mtls for npm creation",
            "description": "test mtls creation"
        },
        "spec": {
            "gradle": {
                "property_key_name": "ENDOR_MTLS_CONFIGURATION",
                "property_key_value": "any non empty value",
                "mtls": {
                    "client_cert": "formatted pem client.crt",
                    "client_key": "formatted pem client.key"
                }
            }
        }
    }'
    

Configure integration with AWS

Learn how to configure package manager integrations with AWS CodeArtifact.