This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Set up custom package repositories

Learn how to configure custom package repositories for dependency resolution.

1: Authenticate to private packages using mTLS

2: Configure integration with AWS

Suppose your software components are private and are hosted in an internal package repository. In that case, you must provide authentication credentials to the registry, to create a complete bill of materials or perform static analysis.

You must set up custom package repositories if:

Your software package isn’t scanned as part of a post-build or install step
You are using the Endor Labs GitHub App
you are implementing scans across your environment for quick visibility
Authentication information to your private package repository is hosted outside of the repository

If your software components are private and hosted in AWS CodeArtifact, set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. See Configure package manager integrations with AWS.

You can authenticate to private package artifact repositories using mutual TLS. See mTLS authentication to learn how to set up and authenticate.

Configure package manager integration

Endor Labs integrates with your self-hosted package repositories and source control systems to give you visibility into your environment. Package manager integrations allow users to simplify scanning using custom repositories.

Endor Labs generally respects package authentication and configuration settings and a package manager integration is usually not required to scan private packages successfully.

Use package manager integrations to simplify scanning when authentication to private repositories is not part of standard manifest or settings files.
Package manager integrations allow you to set custom repositories for each package ecosystem and the priority of each repository for scanning.

To set up a package manager integration:

Sign in to Endor Labs.
Select Manage > Integrations from the left sidebar.
Click Manage in the package manager configuration you want to customize.
Select Add Package Manager.
Enter the name of the package manager.
Select either Basic or AWS Code Artifactory as Authentication Type. See AWS authentication and basic authentication to learn more.
To set up authentication for Maven, PyPI, Nuget, RubyGems, Packagist, and npm, see connect to private repositories.
Click Advanced and select Propagate this policy to all child namespaces to apply the package manager integration to all child namespaces.
Select Add Package Manager.

If you want to delete a package manager integration, click the trash can icon at the far right of the integration.

Basic authentication to private package repositories

Use basic authentication to connect with private package repositories across supported ecosystems.

Authenticate to Maven, PyPI, RubyGems and Nuget private package repositories

To connect to private repositories of Maven, PyPI, RubyGems and Nuget, enter the package manager URL and the package registry credentials such as username and password.

Basic Authentication for package manager integrations

Authenticate to npm private package registries

To connect to npm registry, enter the scope, package manager URL, and either base64-encoded username and password or basic authentication token as authentication method. See base64 encoded token to learn how to generate the token.

Note

Ensure that you do not use both the authentication tokens at the same time.

Package manager for npm

Authenticate to Packagist private package repositories

To connect to Packagist repository, enter the package manager host and the package registry credentials such as username and password. Select HTTP Basic from the list of AUTHENTICATION FOR PRIVATE REPOSITORIES.

Package manager for Packagist

Test private package manager connection

Select Manage > Integrations from the left sidebar.
Click Manage in the package manager configuration you want to customize.
Click the vertical three dots of the package manager configured and select Test Connection.

Note

The integration does not perform authentication or authorization checks on the package manager repository.

Change package manager integration priority

Package manager integrations allow you to set the priority of each package repository used by a package manager in your tenant namespace. This defines the location from which a package manager looks when it attempts to resolve dependencies for a software package.

To change the package manager integration priority:

Click and hold the integration you would like to change the priority of.
Drag the integration to the priority spot that is most frequently used by your organization.

Package manager integrations

The following support matrix details support for package manager integrations:

Language	Ecosystem	Support	mTLS
Java	Maven (`mvn://`)	✓	✓
JavaScript	npm (`npm://`)	✓	✓
Python	PyPI (`pypi://`)	✓	✓
Ruby	Gem (`gem://`)	✓	✗
PHP	Composer (`composer://`)	✓	✗
.NET/C#	nuget (`nuget://`)	✓	✗
Gradle	Gradle Properties	Supported through API	✓

Private package manager integrations for Golang and Rust are not supported.

Private package manager integrations for Maven, PyPI, RubyGems, Nuget using API

Use endorctl to create a package manager resource through an API call and configure authentication for accessing private repositories during scans.

Note

Maven package manager configurations apply only to Maven build projects and not to Gradle build projects that use Maven repositories.
The PyPI package manager URL typically ends with /simple.

Run the following command to create a package manager resource and authenticate to private repository.

Replace:

username with your package registry username
xxxx with your package registry password
namespace with your namespace.

endorctl api create  -r PackageManager -n <namespace> -d '
{
    "meta": {
        "name": "test",
        "description": "test"
    },
    "spec": {
        "nuget": {
            "priority": 1,
            "url": "package manager url",
            "user": "username",
            "password": "xxxx"
        }
    },
    "propagate": true
} '

Private package manager integration for Gradle using API

Configure private package manager integration with Gradle to authenticate and fetch dependencies from private repositories during scans.

Gradle requires valid credentials, such as AWS access keys and GitHub or GitLab tokens, to access private repositories and fetch dependencies. Provide these credentials through the endorctl API call for GitHub App scans to run successfully.

The variable names you define (like mavenAccessKey, mavenSecretKey) must exactly match the property names used inside your build.gradle file when configuring credentials. For more information on how to align variable names with your build configuration, refer to Declaring private repositories.

Note

You can configure these credentials for the scans performed through the GitHub App.

Set Gradle credentials

Use endorctl to configure your repository credentials. You can set the necessary Gradle properties, allowing access to private repositories during the Gradle build process.

For example, to authenticate with an AWS S3-backed Maven repository, run the following commands to set the mavenAccessKey and mavenSecretKey properties. Replace namespace with your namespace.

endorctl api create -n <namespace> -r PackageManager -d '{
    "meta": {
        "name": "gradle properties"
    },
    "spec": {
        "gradle": {
            "property_key_name": "mavenAccessKey",
            "property_key_value": "your-access-key"
        }
    }
}'

endorctl api create -n <namespace> -r PackageManager -d '{
    "meta": {
        "name": "gradle properties"
    },
    "spec": {
        "gradle": {
            "property_key_name": "mavenSecretKey",
            "property_key_value": "your-secret-key"
        }
    }
}'

These credentials will then be available to your Gradle build at scan time. All values configured through the API are automatically exported as environment variables.

Considerations

When configuring Gradle credentials, consider the following scenarios:

AWS credentials with scan profile

If a scan profile is linked to your project, AWS credentials are directly written into ~/.gradle/gradle.properties and require exact key matches. You can use one of the following combinations:

AWS_ACCESS_KEY and AWS_SECRET_KEY
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

Authenticate using mutual TLS

Use mutual TLS to securely authenticate to artifact repositories. Currently, mutual TLS can be configured only through the API. See mTLS authentication for more information.

Package manager integration for npm using API

Use endorctl to create a package manager resource for your private npm registry and authenticate using one of the following tokens:

Base64-encoded username and password
Basic authentication token

You can configure multiple npm package managers only if each configuration is scoped.

Base64-encoded authentication token

Generate base64 token

To generate the base64 encoded username and password, run the following command. Copy the token generated and store it in a secure place.
```
echo -n 'username:plain_password' | openssl base64
```

Create package manager resource

Run the following command to create a package manager resource and authenticate to npm registry using base64 token without scope.

Replace:

base64 token with the generated base64 encoded username and password in the previous step.
namespace with your namespace.

endorctl api create  -r PackageManager -n <namespace> -d '
{
    "meta": {
        "name": "test npm with base64",
        "description": "test npm with base 64 token without scope"
    },
    "spec": {
        "npm": {
            "priority": 1,
            "url": "package manager url"
            "token": "base64 token"
        }
    },
    "propagate": true
} '

Basic authentication token

Run the following command to create a package manager resource and authenticate to npm registry using basic authentication token with scope.

Replace:

xxx with your authentication token.
namespace with your namespace.
@scope with your scope. For example, "scope":"@abc-corp".

endorctl api create  -r PackageManager -n <namespace> -d '
{
    "meta": {
        "name": "test npm with auth token",
        "description": "test npm with auth token with scope"
    },
    "spec": {
        "npm": {
            "priority": 1,
            "scope": "@scope",
            "url": "package manager url",
            "auth_token": "xxxx"
        }
    },
    "propagate": true
} '

Package manager integration for Packagist using API

Run the following command to create a package manager resource and authenticate to Packagist repository.

Replace:

username with your package registry username.
xxxx with your package registry password.
namespace with your namespace.
your host with your package manager host. For example, "host": "repo.packagist.com".

endorctl api create  -r PackageManager -n <namespace> -d '
{
    "meta": {
        "name": "test packagist",
        "description": "test packagist"
    },
    "spec": {
        "packagist": {
           "auth_kind": "AUTH_KIND_HTTP_BASIC",
            "host": "your host",
            "user": "username",
            "password": "xxxx"
        }
    },
    "propagate": true
} '

Fetch package manager

Run the following command to fetch the package manager using the UUID:

endorctl api get -r packageManager -n <your namespace>  --uuid <take uuid from list command>

Delete package manager

Run the following command to delete the package manager using the UUID:

endorctl api delete -r packageManager -n <your namespace>  --uuid <take uuid from list command>

1 - Authenticate to private packages using mTLS

Learn how to configure custom package repositories for dependency resolution using mTLS.

Mutual Transport Layer Security (mTLS) is a protocol that mandates both the sender and receiver to authenticate each other before establishing a secure connection. Each party verifies the other’s certificate, ensuring authenticity and trust. This establishes a secure connection between both the parties.

Use mutual TLS to securely authenticate to artifact repositories.

Set up mTLS

Perform the following steps to set up a secure mTLS connection:

Note

If your certificate is in PKCS12 format, you can start with step 1. If you already have a PEM certificate, you can skip to step 2.

Generate client certificate and client key

Run the following command to generate the client certificate in the Privacy Enhanced Mail (PEM) format. Replace <pkcs12 file> with the name of your .p12 file.
```
openssl pkcs12 -in <pkcs12 file>.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client.crt
```
Run the following command to generate the client key in the Privacy Enhanced Mail (PEM) format. Replace <pkcs12 file> with the name of your .p12 file.
```
openssl pkcs12 -in <pkcs12 file>.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > client.key
```
Ensure you have your PKCS12 certificate and its password ready. When prompted, enter the password.
Format the client certificate and client key as json

Run the following command to format the client certificate as json:
```
awk '{printf "%s\\n", $0}' client.crt
```
Run the following command to format the client key as json:
```
awk '{printf "%s\\n", $0}' client.key
```
Create a package manager resource after generating the client certificate and client key.

Authenticate to Gradle repository

Run the following command to create a package manager resource and authenticate to Gradle artifact repository. Replace namespace with your namespace.

endorctl api create -n <namespace> -r packageManager -d '{
    "meta": {
        "name": "test mtls for npm creation",
        "description": "test mtls creation"
    },
    "spec": {
        "gradle": {
            "property_key_name": "ENDOR_MTLS_CONFIGURATION",
            "property_key_value": "any non empty value",
            "mtls": {
                "client_cert": "formatted pem client.crt",
                "client_key": "formatted pem client.key"
            }
        }
    }
}'

Note

The property_key_name must be set exactly as ENDOR_MTLS_CONFIGURATION.

Authenticate to Maven repository

Run the following command to create a package manager resource and authenticate to Maven repository.

Replace:

namespace with your namespace.
https://nexus.example.com/repository/public with your Maven repository URL.

endorctl api create -n <namespace> -r packageManager -d '{
    "meta": {
        "name": "test mtls for npm creation",
        "description": "test mtls creation"
    },
    "spec": {
        "mvn": {
            "url": "https://nexus.example.com/repository/public",
            "mtls": {
                "client_cert": "formatted pem client.crt",
                "client_key": "formatted pem client.key"
            }
        }
    }
}'

Authenticate to PyPI repository

Run the following command to create a package manager resource and authenticate to PyPI repository.

Replace:

namespace with your namespace.
https://nexus.example.com/repository/pypi with your PyPI repository URL.

endorctl api create -n <namespace> -r packageManager -d '{
    "meta": {
        "name": "test mtls for python creation",
        "description": "test mtls creation"
    },
    "spec": {
        "pypi": {
            "priority": 1,
            "url": "https://nexus.example.com/repository/pypi",
            "mtls": {
                "client_cert": "formatted pem client.crt",
                "client_key": "formatted pem client.key"
            }
        }
    }
}'

Authenticate to npm registry

Run the following command to create a package manager resource and authenticate to npm registry.

Replace:

namespace with your namespace.
https://nexus.example.com/repository/npm with your npm registry URL.

endorctl api create -n <namespace> -r packageManager -d '{
    "meta": {
        "name": "test mtls for  npm creation",
        "description": "test mtls creation"
    },
    "spec": {
        "npm": {
            "url": "https://nexus.example.com/repository/npm",
            "mtls": {
                "client_cert": "formatted pem client.crt",
                "client_key": "formatted pem client.key"
            }
        }
    }
}'

2 - Configure integration with AWS

Learn how to configure package manager integrations with AWS CodeArtifact.

Configure Endor Labs to integrate with AWS CodeArtifact to use private libraries to build and scan your software.

You must Create an OpenID Connect provider in AWS IAM to allow Endor Labs to authenticate and assume roles securely. Then, configure an IAM role with a trust policy to grant Endor Labs read-only access to AWS CodeArtifact repositories.

You can configure the resources using the AWS Management Console, AWS CloudFormation Template, or the AWS CLI.

Create AWS resources from the AWS management console

Create the AWS resources required for this integration from the AWS user management console.

Create an OpenID Connect provider

In AWS, create an OpenID Connect provider and authenticate Endor Labs to assume roles.

Sign into Identity and Access Management (IAM).
From Access Management, select Identity Providers.
Click Add Provider and choose OpenID Connect.
In Provider URL enter the Endor Labs application URL https://api.endorlabs.com.
Enter an Audience such as endor-aws-code-artifact and click Add Provider.

You must keep the Provider URL and Audience values handy.

Create an IAM role with trust policies

In AWS IAM, create roles that Endor Labs can assume once its users or services are authenticated. Associate each role with a trust policy that grants Endor Labs read-only access to repositories in AWS CodeArtifact.

From IAM, select Roles.
Click Create Role.
From Trusted entity type, select Web Identity and click Next.
Select the Identity provider you created in the previous task and for Audience select the exact value used in the previous task then click Add condition.
Under Add condition set the Key to api.endorlabs.com:sub, set the Condition to StringLike and for the value, input <insert-your-tenant>/*. Make sure to replace <insert-your-tenant> with your tenant name. For example demo/*.
Add one more condition setting Key to api.endorlabs.com:sub, set the Condition to StringLike and for the value, input <insert-your-tenant>.*/*, for example demo.*/* and click Next.
From Permission policies, select AWSCodeArtifactReadOnlyAccess and click Next.
Enter a name for the role such as endor-aws-code-artifact-role and include an optional description.
Review the Select trusted entities section, then click Edit to make modifications if required. It should look like the following example.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Principal": {
                "Federated": "arn:aws:iam::<AWS-Account-ID>:oidc-provider/api.endorlabs.com"
            },
            "Condition": {
                "StringLike": {
                    "api.endorlabs.com:sub": [
                        "<insert-your-namespace>/*",
                        "<insert-your-namespace>.*/*"
                    ]
                },
                "StringEquals": {
                    "api.endorlabs.com:aud": [
                        "endor-aws-code-artifact"
                    ]
                }
            }
        }
    ]
}

Click Create Role.

You must keep the role ARN handy to enter in the Endor Labs application.

You can now go and configure the package manager integration in Endor Labs

Create AWS resources using a CFT template

Use AWS CloudFormation Template (CFT) to automate the creation and configuration of AWS resources required for this integration.

Create a .cft file from the following script entering the OIDC URL, audience, namespace, and role name.

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an IAM OpenID Connect (OIDC) identity provider and an IAM role with AWSCodeArtifactReadOnlyAccess.

Parameters:
  OIDCUrl:
    Description: The URL of the OIDC provider (e.g., https://api.endorlabs.com).
    Type: String
    Default: "https://api.endorlabs.com"

  ClientId:
    Description: The audience claim to use in the OIDC trust policy (e.g., endor-aws-code-artifact).
    Type: String
    Default: "endor-aws-code-artifact"

  Namespace:
    Description: The namespace in the OIDC sub claim to allow (e.g., demo).
    Type: String
    Default: "Enter your Endor Labs namespace"

  RoleName:
    Description: IAM role name (e.g., endor-aws-code-artifact-role).
    Type: String
    Default: "endor-aws-code-artifact-role"

Resources:
  OpenIDConnectProvider:
    Type: "AWS::IAM::OIDCProvider"
    Properties:
      Url: !Ref OIDCUrl
      ClientIdList:
        - !Ref ClientId
    DeletionPolicy: Retain

  CodeArtifactRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Federated: !Ref OpenIDConnectProvider  # Directly reference OIDC Provider created in the same template
            Action: "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals:
                "api.endorlabs.com:aud": !Ref ClientId
              StringLike:
                "api.endorlabs.com:sub":
                  - !Sub "${Namespace}/*"
                  - !Sub "${Namespace}.*/*"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
    DeletionPolicy: Retain

Outputs:
  TargetRoleArn:
    Description: The ARN of the newly created IAM role
    Value: !GetAtt CodeArtifactRole.Arn

  AllowedAudience:
    Description: The allowed audience
    Value: !Ref ClientId

Save this file with an appropriate name such as awscodeartifact-endor-labs.cft, and have it handy.
Sign into AWS CloudFormation and search for Stacks.
Click Create Stack and select Choose an existing template.
From Template source, select Upload a template file.
Click Choose file, select the file you saved awscodeartifact-endor-labs.cft and click Next.
In Specify stack details, choose a name for the stack, verify the Parameters you entered in the script and click Next.
Select the acknowledgement from Configure stack options and click Next.
From Review and Create, review the details and click Submit. Check the progress of the creation of your resources from Stacks. Once the stack is created, you can see the status as CREATE_COMPLETE.
Click Outputs to see the target role ARN and the AllowedAudience values. Have the values handy to enter in the Endor Labs application.
You can now go and configure the package manager integration in Endor Labs

Create resources from the AWS CLI

To create the necessary resources for CodeArtifact integration with the AWS CLI use the following procedure:

First, create a new OIDC provider in AWS:

aws iam create-open-id-connect-provider \
    --url https://api.endorlabs.com \
    --client-id-list endor-aws-code-artifact

Keep the OpenIDConnectProviderArn returned during the create command handy. If you lose it you can retrieve it using the following command:

aws iam list-open-id-connect-providers

Next, you’ll need to create a role to provide the OIDC provider access to AWS CodeArtifact. Ensure you replace <insert-your-namespace> with your Endor Labs namespace and <insert-your-account-id> with your AWS account ID.

aws iam create-role \
    --role-name endor-aws-code-artifact-role \
    --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<insert-your-account-id>:oidc-provider/api.endorlabs.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "api.endorlabs.com:aud": "endor-aws-code-artifact"
                },
                "StringLike": {
                    "api.endorlabs.com:sub": [
                        "<insert-your-namespace>/*",
                        "<insert-your-namespace>.*/*"
                    ]
                }
            }
        }
    ]
}'

Finally, assign the role a permissions policy to access AWS CodeArtifact.

aws iam attach-role-policy \
    --role-name endor-aws-code-artifact-role \
    --policy-arn arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess

You can now go and configure the package manager integration in Endor Labs

Configure package manager integration in Endor Labs with AWS CodeArtifact

After creating an IAM role in AWS with the necessary trust policies, configure AWS CodeArtifact package manager integration within the Endor Labs application.

Sign in to Endor Labs and under Manage, select Integrations.
Select the package manager configuration you’d like to customize and click Manage
In the upper right-hand corner, select Add Package Manager.
Select AWS Code Artifactory.
In DOMAIN, enter the name of your repository in AWS CodeArtifact.
In DOMAIN OWNER, enter the AWS account ID that owns the CodeArtifact repository.
In REPOSITORY, enter the repository name.
In TARGET ROLE ARN, enter the role ARN you created.
In ALLOWED AUDIENCE, enter the Audience value specified during role creation. In this example we used endor-aws-code-artifact.
In REGION, enter the AWS region of the AWS Code Artifact Repository.
Select if you want to Propagate this package manager to all child namespaces from Advanced.
Select Add Package Manager.