Private package manager integration for Gradle
Configure Endor Labs to integrate with private Gradle repositories to access proprietary dependencies during security scanning and analysis. When your Gradle projects depend on artifacts hosted in private or corporate repositories, Endor Labs requires authentication credentials to resolve these dependencies and generate a complete bill of materials.
This integration enables Endor Labs to:
- Access private Gradle artifacts during dependency resolution
- Generate comprehensive security analysis including private dependencies
- Maintain complete visibility into your software supply chain
Private package manager integration for Gradle using API
Configure private package manager integration with Gradle to authenticate and fetch dependencies from private repositories during scans.
Gradle requires valid credentials, such as AWS access keys and GitHub or GitLab tokens, to access private repositories and fetch dependencies. Provide these credentials through the endorctl API call for GitHub App scans to run successfully.
The variable names you define (like mavenAccessKey
, mavenSecretKey
) must exactly match the property names used inside your build.gradle
file when configuring credentials. For more information on how to align variable names with your build configuration, refer to Declaring private repositories.
Note
You can configure these credentials for the scans performed through the GitHub App.Set Gradle credentials
Use endorctl to configure your repository credentials. You can set the necessary Gradle properties, allowing access to private repositories during the Gradle build process.
For example, to authenticate with an AWS S3-backed Maven repository, run the following commands to set the mavenAccessKey
and mavenSecretKey
properties. Replace namespace
with your namespace.
endorctl api create -n <namespace> -r PackageManager -d '{
"meta": {
"name": "gradle properties"
},
"spec": {
"gradle": {
"property_key_name": "mavenAccessKey",
"property_key_value": "your-access-key"
}
}
}'
endorctl api create -n <namespace> -r PackageManager -d '{
"meta": {
"name": "gradle properties"
},
"spec": {
"gradle": {
"property_key_name": "mavenSecretKey",
"property_key_value": "your-secret-key"
}
}
}'
These credentials will then be available to your Gradle build at scan time. All values configured through the API are automatically exported as environment variables.
Considerations
When configuring Gradle credentials, consider the following scenarios:
AWS credentials with scan profile
If a scan profile is linked to your project, AWS credentials are directly written into ~/.gradle/gradle.properties
and require exact key matches. You can use one of the following combinations:
AWS_ACCESS_KEY
andAWS_SECRET_KEY
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
Authenticate using mutual TLS
Use mutual TLS to securely authenticate to artifact repositories. Currently, mutual TLS can be configured only through the API. See mTLS authentication for more information.
Fetch package manager
Run the following command to fetch the package manager using the UUID:
endorctl api get -r packageManager -n <your namespace> --uuid <take uuid from list command>
Delete package manager
Run the following command to delete the package manager using the UUID:
endorctl api delete -r packageManager -n <your namespace> --uuid <take uuid from list command>
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.