This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Set up custom package repositories
Learn how to configure custom package repositories for dependency resolution.
Suppose your software components are private and are hosted in an internal package repository. In that case, you must provide authentication credentials to the registry, to create a complete bill of materials or perform static analysis.
You must set up custom package repositories if:
- Your software package isn’t scanned as part of a post-build or install step
- You are using the Endor Labs GitHub App
- you are implementing scans across your environment for quick visibility
- Authentication information to your private package repository is hosted outside of the repository
If your software components are private and hosted in AWS CodeArtifact, set up an OpenID Connect provider in AWS and create roles with trust policies to allow Endor Labs access to your CodeArtifact repositories. See Configure package manager integrations with AWS.
Endor Labs integrates with your self-hosted package repositories and source control systems to give you visibility into your environment. Package manager integrations allow users to simplify scanning using custom repositories.
Endor Labs generally respects package authentication and configuration settings and a package manager integration is usually not required to scan private packages successfully.
-
Use package manager integrations to simplify scanning when authentication to private repositories is not part of standard manifest or settings files.
-
Package manager integrations allow you to set custom registries for each package ecosystem and the priority of each registry for scanning.
To set up a package manager integration:
- Under Manage, select Integrations.
- Select the package manager configuration you’d like to customize and click Connect
- In the upper right-hand corner, select Add Package Manager.
- Input a package manager URL for your given package registry.
- If a package registry is authenticated select Authenticate to this registry and enter a set of credentials that will be used to authenticate to the package registry.
- Select Add Package Manager.
If you would like to delete a package manager integration, click the trash can icon at the far right of the integration.
Change package manager integration priority
Package manager integrations allow you to set the priority of each package registry used by a package managers in your tenant namespace. This defines the location from which a package manager looks when it attempts to resolve dependencies for a software package.
To change the package manager integration priority:
- Click and hold the integration you would like to change the priority of.
- Drag the integration to the priority spot that is most frequently used by your organization.
Package manager integrations
The following support matrix details support for package manager integrations:
| Language |
Ecosystem |
Supported |
| Java |
Maven (mvn://) |
Supported |
| JavaScript |
npm (npm://) |
Supported |
| Python |
PyPI (pypi://) |
Supported |
| Ruby |
Gem (gem://) |
Supported |
| PHP |
Composer (composer://) |
Supported |
| .NET/C# |
nuget (nuget://) |
Supported |
Private package manager integrations for Golang and Rust are not supported.
1 - Configure integration with AWS
Learn how to configure package manager integrations with AWS CodeArtifact.
Configure Endor Labs to integrate with AWS CodeArtifact to use private libraries to build and scan your software.
You must Create an OpenID Connect provider in AWS IAM to allow Endor Labs to authenticate and assume roles securely. Then, configure an IAM role with a trust policy to grant Endor Labs read-only access to AWS CodeArtifact repositories.
You can configure the resources using the AWS Management Console, AWS CloudFormation Template, or the AWS CLI.
Create AWS resources from the AWS management console
Create the AWS resources required for this integration from the AWS user management console.
Create an OpenID Connect provider
In AWS, create an OpenID Connect provider and authenticate Endor Labs to assume roles.
- Sign into Identity and Access Management (IAM).
- From Access Management, select Identity Providers.
- Click Add Provider and choose OpenID Connect.
- In Provider URL enter the Endor Labs application URL
https://api.endorlabs.com.
- Enter an Audience such as endor-aws-code-artifact and click Add Provider.
You must keep the Provider URL and Audience values handy.
Create an IAM role with trust policies
In AWS IAM, create roles that Endor Labs can assume once its users or services are authenticated. Associate each role with a trust policy that grants Endor Labs read-only access to repositories in AWS CodeArtifact.
- From IAM, select Roles.
- Click Create Role.
- From Trusted entity type, select Web Identity and click Next.
- Select the Identity provider you created in the previous task and for Audience select the exact value used in the previous task then click Add condition.
- Under Add condition set the Key to
api.endorlabs.com:sub, set the Condition to StringLike and for the value, input <insert-your-tenant>/*. Make sure to replace <insert-your-tenant> with your tenant name. For example demo/*.
- Add one more condition setting Key to
api.endorlabs.com:sub, set the Condition to StringLike and for the value, input <insert-your-tenant>.*/*, for example demo.*/* and click Next.
- From Permission policies, select AWSCodeArtifactReadOnlyAccess and click Next.
- Enter a name for the role such as endor-aws-code-artifact-role and include an optional description.
- Review the Select trusted entities section, then click Edit to make modifications if required. It should look like the following example.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::<AWS-Account-ID>:oidc-provider/api.endorlabs.com"
},
"Condition": {
"StringLike": {
"api.endorlabs.com:sub": [
"<insert-your-namespace>/*",
"<insert-your-namespace>.*/*"
]
},
"StringEquals": {
"api.endorlabs.com:aud": [
"endor-aws-code-artifact"
]
}
}
}
]
}
- Click Create Role.
You must keep the role ARN handy to enter in the Endor Labs application.
You can now go and configure the package manager integration in Endor Labs
Create AWS resources using a CFT template
Use AWS CloudFormation Template (CFT) to automate the creation and configuration of AWS resources required for this integration.
- Create a
.cft file from the following script entering the OIDC URL, audience, namespace, and role name.
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create an IAM OpenID Connect (OIDC) identity provider and an IAM role with AWSCodeArtifactReadOnlyAccess.
Parameters:
OIDCUrl:
Description: The URL of the OIDC provider (e.g., https://api.endorlabs.com).
Type: String
Default: "https://api.endorlabs.com"
ClientId:
Description: The audience claim to use in the OIDC trust policy (e.g., endor-aws-code-artifact).
Type: String
Default: "endor-aws-code-artifact"
Namespace:
Description: The namespace in the OIDC sub claim to allow (e.g., demo).
Type: String
Default: "Enter your Endor Labs namespace"
RoleName:
Description: IAM role name (e.g., endor-aws-code-artifact-role).
Type: String
Default: "endor-aws-code-artifact-role"
Resources:
OpenIDConnectProvider:
Type: "AWS::IAM::OIDCProvider"
Properties:
Url: !Ref OIDCUrl
ClientIdList:
- !Ref ClientId
DeletionPolicy: Retain
CodeArtifactRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Ref RoleName
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: !Ref OpenIDConnectProvider # Directly reference OIDC Provider created in the same template
Action: "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"api.endorlabs.com:aud": !Ref ClientId
StringLike:
"api.endorlabs.com:sub":
- !Sub "${Namespace}/*"
- !Sub "${Namespace}.*/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess"
DeletionPolicy: Retain
Outputs:
TargetRoleArn:
Description: The ARN of the newly created IAM role
Value: !GetAtt CodeArtifactRole.Arn
AllowedAudience:
Description: The allowed audience
Value: !Ref ClientId
- Save this file with an appropriate name such as
awscodeartifact-endor-labs.cft, and have it handy.
- Sign into AWS CloudFormation and search for Stacks.
- Click Create Stack and select Choose an existing template.
- From Template source, select Upload a template file.
- Click Choose file, select the file you saved
awscodeartifact-endor-labs.cft and click Next.
- In Specify stack details, choose a name for the stack, verify the Parameters you entered in the script and click Next.
- Select the acknowledgement from Configure stack options and click Next.
- From Review and Create, review the details and click Submit. Check the progress of the creation of your resources from Stacks. Once the stack is created, you can see the status as CREATE_COMPLETE.
- Click Outputs to see the target role ARN and the AllowedAudience values. Have the values handy to enter in the Endor Labs application.
- You can now go and configure the package manager integration in Endor Labs
Create resources from the AWS CLI
To create the necessary resources for CodeArtifact integration with the AWS CLI use the following procedure:
- First, create a new OIDC provider in AWS:
aws iam create-open-id-connect-provider \
--url https://api.endorlabs.com \
--client-id-list endor-aws-code-artifact
- Keep the OpenIDConnectProviderArn returned during the create command handy. If you lose it you can retrieve it using the following command:
aws iam list-open-id-connect-providers
- Next, you’ll need to create a role to provide the OIDC provider access to AWS CodeArtifact. Ensure you replace
<insert-your-namespace> with your Endor Labs namespace and <insert-your-account-id> with your AWS account ID.
aws iam create-role \
--role-name endor-aws-code-artifact-role \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<insert-your-account-id>:oidc-provider/api.endorlabs.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"api.endorlabs.com:aud": "endor-aws-code-artifact"
},
"StringLike": {
"api.endorlabs.com:sub": [
"<insert-your-namespace>/*",
"<insert-your-namespace>.*/*"
]
}
}
}
]
}'
- Finally, assign the role a permissions policy to access AWS CodeArtifact.
aws iam attach-role-policy \
--role-name endor-aws-code-artifact-role \
--policy-arn arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess
- You can now go and configure the package manager integration in Endor Labs
After creating an IAM role in AWS with the necessary trust policies, configure AWS CodeArtifact package manager integration within the Endor Labs application.
- Sign in to Endor Labs and under Manage, select Integrations.
- Select the package manager configuration you’d like to customize and click Manage
- In the upper right-hand corner, select Add Package Manager.
- Select AWS Code Artifactory.
- In DOMAIN, enter the name of your repository in AWS CodeArtifact.
- In DOMAIN OWNER, enter the AWS account ID that owns the CodeArtifact repository.
- In REPOSITORY, enter the repository name.
- In TARGET ROLE ARN, enter the role ARN you created.
- In ALLOWED AUDIENCE, enter the Audience value specified during role creation. In this example we used endor-aws-code-artifact.
- In REGION, enter the AWS region of the AWS Code Artifact Repository.
- Select if you want to Propagate this package manager to all child namespaces from Advanced.
- Select Add Package Manager.