Configure Mend for GitHub.com to resolve your private dependencies
Overview
In order to scan dependencies from private registries, Mend must be provided with credentials. These credentials must be added as encrypted secrets to the .whitesource file, either per-repository or in the shared global config if the secret scope is org-wide.
Use Case
Below is an example of applying private registry credentials in the hostRules
block of a .whitesource file:
{
"hostRules": [
{
"matchHost": "registry.npmjs.org",
"hostType": "npm",
"userName": "bot1",
"encrypted": {
"token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
}
},
{
"matchHost": "https://custom.registry.company.com/maven/",
"hostType": "maven",
"userName": "bot1",
"encrypted": {
"password": "p278djfdsi9832jnfdshufwji2r389fdskj........."
}
}
]
}
Getting It Done
Mend for GitHub.com supports private registries hosted on any platform that can be accessed with credentials (Nexus, GitHub, Artifactory, Azure Artifacts, GitLab, NPM).
Allow Mend for GitHub.com access to resolve your private dependencies by doing the following:
Create the encrypted secrets. To do so, visit Mend's Repository Integration Secrets Encryption. Each secret you encrypt must be scoped to a GitHub organization or repository and use of it will be restricted to those within the app. The following fields are on the encryption page:
Organization\Group - Required; your GitHub organization to which tokens secret be scoped.
Repository - Optional; your GitHub repository to which the secret should be scoped.
Raw value - Required; confidential values/secrets such as tokens or passwords.
Encrypted value - the result of the encryption to be used in the integration.
Add the encrypted secret to the Private Registry Settings (
hostRules
) block of your .whitesource file.
We use asymmetric public-key cryptography of the PGP methodology. There is a public key on the page we provided for encrypting secrets from passwords or tokens. This public key has a related private key secured by mend.
The private key is used to decrypt secrets created with the public key. In this way, only the holder of the private key (Mend in this situation) can have access to the encrypted contents. Organization/Group, Repository, Raw Value - all information you provide on the encryption page is secured with this approach.
Automate Secret Encryption for Private Registries
You can encrypt secrets from the CLI, using the curl
, echo
, jq
, gpg
, grep
and tr
CLI programs.
Here is an example:
curl https://app.renovatebot.com/renovate.pgp --output renovate.pgp
echo -n '{"o":"your-organization", "r":"your-repository (optional)", "v":"your-secret-value"}' | jq . -c | gpg --encrypt -a --recipient-file renovate.pgp | grep -v '^----' | tr -d '\n'
The above script uses:
curl
to download the Mend Renovate hosted app's public keyecho
to echo a JSON object intojq
jq
to validate the JSON and then compact itgpg
to encrypt the contentsgrep
andtr
to extract the encrypted payload which we will use
The jq
step is optional, you can leave it out if you wish. Its primary value is validating that the string you echo to gpg
is valid JSON and compact.
Note: Encrypted secrets must have at least an org/group scope, and optionally a repository scope. This means that Renovate will check if a secret's scope matches the current repository before applying it, and warn/discard if there is a mismatch.
Encrypted secrets usually have a single organization. But you may encrypt a secret with more than one organization, for example, org1,org2
. This way the secret can be used in both the org1
and org2
organizations.
For more information on how to use secrets for private packages, refer to the Private package support documentation.
Reference
Parameters
Private Registry Settings (hostRules
)
Parameter | Type | Description |
---|---|---|
matchHost | String | Required. The URL of the private registry where the private dependencies are hosted. Here are a few examples:
|
hostType | String | Required. The type of private registry. Supported values:
Note: When using Renovate with a Ruby private registry, add a |
userName | String | Optional. The value used when the private registry requires a username credential for resolution access to its private dependencies. |
encrypted.password | String | Required. The value used when the private registry requires a password credential for resolution access to its private dependencies. The value first needs to be encrypted into a secret on this page. This encrypted secret will be applied as a credential to the set in the
CODE
|
encrypted.token | String | Required. The value used when the private registry requires a token credential for resolution access to its private dependencies. The value first needs to be encrypted into a secret on this page. This encrypted secret will be applied as a credential to the set in the
CODE
|
envVariablesMapping | Object | Use this parameter if you used environmental variables in the settings of your package manager to include username and password/token (e.g. for a specified package index).
CODE
or
CODE
Then, set
CODE
Below is an example of applying envVariablesMapping in the hostRules block of a .whitesource file:
CODE
|
sourceName | String | Only for Pipenv private registries. Optional. Use this parameter if you don’t have a specified package index. In this case, Mend will create one for you based on other parameters of For example, if you have packages with the following index:
CODE
Then, set
CODE
|
Mend for GitHub.com private registry-supported languages
The following languages and their package managers are supported for scanning dependencies from private registries with Mend for GitHub.com.
Language | Package Manager | Details |
---|---|---|
C# | NuGet | Configuration file(s): nuget.config
|
Go | Modules | Configuration file(s): .netrc
Specifications:
|
Java | Gradle | Configuration file(s): build.gradle, settings.gradle
Specifications:
|
Java | Maven | Configuration file(s): settings.xml
|
JavaScript | NPM | Configuration file(s): .npmrc
Specifications:
|
JavaScript | Yarn | Configuration file(s): .npmrc (Yarn 1), .yarnrc (Yarn 2, 3)
Specifications:
|
Python | Pip | Specifications:
|
Python | Pipenv | Specifications:
|
Ruby | Bundler | N/A |
Examples of hostRules with specific registries
As AWS Code Artifact tokens rotate every twelve hours, it is recommended to scan applications built using AWS Code Artifact using the Mend CLI. More information can be found at Scan with the Mend CLI.