NPM with Azure Artifacts - Host Rule Implementation

This article details the instructions to successfully configure our repo integrations with your NPM private registries that are hosted in Azure Artifacts. NPM private registries can be accessed by authentication via an Azure Personal Access Token (PAT). This will allow our repo integrations to scan your private NPM packages for vulnerabilities and compliance.

Generating a Personal Access Token (PAT) in Azure for your Artifacts feed

If you do not have a Personal Access Token (PAT) generated for your Artifacts feed, you can follow the instructions laid out in Azure’s documentation on NPM Artifacts. Save this PAT for the next step, Encrypting your Azure PAT.

Note: The PAT that is created must have Read permissions for the Packaging Scope.

Encrypting your Azure PAT

For Mend-Hosted repo integrations (GitHub.com and Azure Repos)

1. Navigate to our Mend's Repository Integration Secrets Encryption page

2. Each secret you encrypt must be scoped to a GitHub org or Azure project and its use will be restricted to those within the app. There are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org or your Azure project to which secrets are to be scoped

   2. Repository - optional; your GitHub or Azure repository to which secrets are to be scoped

   3. Raw value - required; your Azure PAT that was created earlier

3. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

4. Copy this encrypted value

For Self-Hosted repo integrations (GitHub Enterprise, Bitbucket Server and Data Center, and GitLab)

Follow the steps outlined below to generate encryption for each of the Self-Hosted repo integrations:

• Mend for GitHub Enterprise | Handling Private Registries and Authenticated Repositories

• Mend for Bitbucket Server and Data Center | Handling Private Registries and Authenticated Repositories

• Installing Mend for GitLab | Handling Private Registries and Authenticated Repositories

1. When generating a secret, there are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org, GitLab group, or Bitbucket group to which secrets are to be scoped

   2. Repository - optional; your repository to which secrets are to be scoped

   3. Raw value - required; your Azure PAT that was created earlier

2. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

3. Copy this encrypted value and save it for the step, Applying the hostRules

Where can I find the matchHost URL for NPM?

The URL that is to be used for the matchHost setting in the hostRules can be found by following the steps below:

1. Navigate to your Azure Project where the Artifact feed is located and click on Artifacts in the left-hand tree

2. In this screen, click on Connect to Feed:

   

3. Find and click on npm:

   

4. Within the Project setup step, copy the value of the registry parameter. This will be your matchHost setting used for your hostRules:

   

Note: If you have multiple feeds for your NPM packages, an .npmrc file that includes your scoped dependencies must be included in the repository to-be-scanned. More information on this can be found in Azure’s documentation: Npm scopes.

Applying the hostRules

Within your repo-config.json (if you have a global setup) or, in your .whitesource file (if you are configuring at the repo level), include the following required hostRules settings:

• matchHost - The URL of the Azure Artifacts feed where your NPM packages are located.

  • If your feed is Org-scoped, the URL will look something like this:

    CODE

    https://pkgs.dev.azure.com/<AzureOrgName>/_packaging/<feedName>/npm/registry/ 

  • If your feed is Project-scoped, the URL will look something like this:

    CODE

    https://pkgs.dev.azure.com/<AzureOrgName>/<AzureProjectName>/_packaging/<feedName>/npm/registry/

• hostType - npm

• userName - Your Azure Organization name or your Azure Project name, depending on how your Artifacts feed was scoped when it was created.

• password - The encrypted value that was generated

hostRules Examples

Example with an Org-scoped Artifacts feed:

{
  "hostRules": [
    {
      "matchHost": "https://pkgs.dev.azure.com/<AzureOrgName>/_packaging/<feedName>/npm/registry/",
      "hostType": "npm",
      "userName": "<Azure Organization name>",
      "encrypted": {
        "password": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}

Example with a Project-scoped Artifacts feed:

{
  "hostRules": [
    {
      "matchHost": "https://pkgs.dev.azure.com/<AzureOrgName>/<AzureProjectName>/_packaging/<feedName>/npm/registry/",
      "hostType": "npm",
      "userName": "<Azure Project name>",
      "encrypted": {
        "password": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}