Maven with GitHub Packages - Host Rule Implementation

This article details the instructions to successfully configure our repo integrations with your Maven private registries that are hosted in GitHub Packages. Maven private registries can be accessed by authentication via a token. This will allow our repo integrations to scan your private Maven packages for vulnerabilities and compliance.

Note: For information on how to publish a Maven package to GitHub Packages, please see GitHub’s documentation.

Generating a Personal Access Token (PAT) in GitHub for your GitHub Packages

For general information on Personal Access Tokens (PATs) and their permissions within GitHub packages, please see GitHub’s documentation: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages#about-scopes-and-permissions-for-package-registries.

To create a PAT to be used for resolving private Maven packages hosted in GitHub Packages, please follow the instructions below:

Note: The account where this PAT is generated must have access to the GitHub repository where the GitHub Packages are hosted.

1. Within your GitHub account, navigate to Settings:

   

2. On your Settings page, scroll down the left-side table of contents and select Developer settings:

   

3. Select Personal access tokens > Tokens (classic):

   

4. Click on Generate new token > select Generate new token (classic):

   

5. Fill in the settings as seen here:

   1. Note: Can be any value. We recommend naming it something that will help you remember what the PAT is for:

      

   2. Expiration: The expiration date of the PAT. We recommend using whatever value works best for your organization. Keep in mind that, if you do place an expiration date on the PAT, our hostRules settings must be updated when it expires. In our example, we will use the No expiration option:

      

   3. Select scopes: The read:packages scope must be enabled to resolve GitHub Packages through our hostRules configuration:

      

6. Scroll to the bottom and click on Generate token:

   

7. Copy the PAT value provided and save it for the next section, Encrypting the GitHub PAT

Encrypting the GitHub PAT

For Mend-Hosted repo integrations (GitHub.com, Bitbucket Cloud, and Azure Repos)

1. Navigate to our Mend's Repository Integration Secrets Encryption page

2. Each secret you encrypt must be scoped to a GitHub org, Bitbucket Cloud Workspace, or Azure project, and its use will be restricted to those within the app. There are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org, Bitbucket Cloud Workspace, or your Azure project to which secrets are to be scoped

   2. Repository - optional; your repository to which secrets are to be scoped

   3. Raw value - required; your GitHub PAT that was created prior

3. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

4. Copy this encrypted value

For Self-Hosted repo integrations (GitHub Enterprise, Bitbucket Server and Data Center, and GitLab)

Follow the steps outlined below to generate encryption for each of the Self-Hosted repo integrations:

• Mend for GitHub Enterprise | Handling Private Registries and Authenticated Repositories

• Mend for Bitbucket Server and Data Center | Handling Private Registries and Authenticated Repositories

• Installing Mend for GitLab | Handling Private Registries and Authenticated Repositories

1. When generating a secret, there are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org, GitLab group, or Bitbucket group to which secrets are to be scoped

   2. Repository - optional; your repository to which secrets are to be scoped

   3. Raw value - required; your GitHub PAT that was created prior

2. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

3. Copy this encrypted value

Where can I find the matchHost URL for Maven?

The URL that is to be used for the matchHost setting in the hostRules can be found in your settings.xml file > profiles.profile.repository.github.url block when your Maven package was published. For example:

• OWNER - Replace OWNER with the name of the GitHub user or organization account that owns the repository where your Maven GitHub Packages are hosted

• REPOSITORY - Replace REPOSITORY with the GitHub Repository where your Maven GitHub Packages are hosted

Note: If you have multiple GitHub repositories for your Maven packages, you will need to complete these steps and create a hostRule for each <url> that is being used.

Applying the hostRules

Within your repo-config.json (if you have a global setup) or, in your .whitesource file (if you are configuring at the repo level), include the following required hostRules settings:

• matchHost - The URL of the GitHub repository where your Maven packages are located. NOTE: You should have one rule for each GitHub repository where your Maven packages are located - meaning there can be multiple hostRules

• hostType - maven

• userName - The GitHub user or organization account that owns the repository where your Maven GitHub Packages are hosted

• token - The encrypted value that was generated

hostRules Example

{
  "hostRules": [
    {
      "matchHost": "https://maven.pkg.github.com/OWNER/REPOSITORY",
      "hostType": "maven",
      "userName": "hostrules",
      "encrypted": {
        "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}