github
/
docs
зеркало из https://github.com/github/docs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[2022-12-13]: Dependabot does not access public registries when the user has configured private registries - [GA] (#33310) 

Co-authored-by: Jake Coffman <jakecoffman@github.com>
Co-authored-by: Anne-Marie  <102995847+am-stead@users.noreply.github.com>
Co-authored-by: Nish Sinha <nishnha@github.com>
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
Co-authored-by: Ankit Honey <honeyankit@github.com>
This commit is contained in:
Sophie 2022-12-13 20:22:06 +01:00 коммит произвёл GitHub
Родитель cbfbfae374
Коммит 48524a0a7d
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 469 добавлений и 10 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

124
content/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file.md
Просмотреть файл

@ -493,7 +493,7 @@ When `rebase-strategy` is set to `auto`, {% data variables.product.prodname_depe
{% endnote %}
When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests.
When `rebase-strategy` is set to `disabled`, {% data variables.product.prodname_dependabot %} stops rebasing pull requests.
{% note %}
@ -742,6 +742,23 @@ updates:
## Configuration options for private registries
The top-level `registries` key is optional. It allows you to specify authentication details that {% data variables.product.prodname_dependabot %} can use to access private package registries.
{% ifversion ghes > 3.7 %}
{% note %}
**Note:** Private registries behind firewalls on private networks are supported for the following ecosystems:
- Bundler
- Docker
- Gradle
- Maven
- npm
- Nuget
- Python
- Yarn
{% endnote %}
{% else %}
{% note %}
@ -749,6 +766,8 @@ The top-level `registries` key is optional. It allows you to specify authenticat
{% endnote %}
{% endif %}
The value of the `registries` key is an associative array, each element of which consists of a key that identifies a particular registry and a value which is an associative array that specifies the settings required to access that registry. The following *dependabot.yml* file, configures a registry identified as `dockerhub` in the `registries` section of the file and then references this in the `updates` section of the file.
{% raw %}
@ -782,8 +801,7 @@ You use the following options to specify access settings. Registry settings must
| `password` | A reference to a {% data variables.product.prodname_dependabot %} secret containing the password for the specified user. For more information, see "[Managing encrypted secrets for Dependabot](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot)." |
| `key` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access key for this registry. For more information, see "[Managing encrypted secrets for Dependabot](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot)." |
| `token` | A reference to a {% data variables.product.prodname_dependabot %} secret containing an access token for this registry. For more information, see "[Managing encrypted secrets for Dependabot](/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/managing-encrypted-secrets-for-dependabot)." |
| `replaces-base` | For registries with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). |
| `replaces-base` | For registries{% ifversion dependabot-private-registries %}, if the boolean value is `true`, {% data variables.product.prodname_dependabot %} will resolve dependencies by using the specified URL rather than the base URL of that specific ecosystem. For example, for registries{% endif %} with `type: python-index`, if the boolean value is `true`, pip resolves dependencies by using the specified URL rather than the base URL of the Python Package Index (by default `https://pypi.org/simple`). |
Each configuration `type` requires you to provide particular settings. Some types allow more than one way to connect. The following sections provide details of the settings you should use for each `type`.
@ -807,7 +825,19 @@ registries:
{% data variables.product.prodname_dependabot %} works with any container registries that implement the OCI container registry spec. For more information, see [https://github.com/opencontainers/distribution-spec/blob/main/spec.md](https://github.com/opencontainers/distribution-spec/blob/main/spec.md). {% data variables.product.prodname_dependabot %} supports authentication to private registries via a central token service or HTTP Basic Auth. For further details, see [Token Authentication Specification](https://docs.docker.com/registry/spec/auth/token/) in the Docker documentation and [Basic access authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) on Wikipedia.
The `docker-registry` type supports username and password.
{% ifversion dependabot-private-registries %}
{% raw %}
```yaml
registries:
dockerhub:
type: docker-registry
url: https://registry.hub.docker.com
username: octocat
password: ${{secrets.MY_DOCKERHUB_PASSWORD}}
replaces-base: true
```
{% endraw %}
{% else %}
{% raw %}
```yaml
registries:
@ -818,9 +848,22 @@ registries:
password: ${{secrets.MY_DOCKERHUB_PASSWORD}}
```
{% endraw %}
{% endif %}
The `docker-registry` type can also be used to pull from private Amazon ECR using static AWS credentials.
{% ifversion dependabot-private-registries %}
{% raw %}
```yaml
registries:
ecr-docker:
type: docker-registry
url: https://1234567890.dkr.ecr.us-east-1.amazonaws.com
username: ${{secrets.ECR_AWS_ACCESS_KEY_ID}}
password: ${{secrets.ECR_AWS_SECRET_ACCESS_KEY}}
replaces-base: true
```
{% endraw %}
{% else %}
{% raw %}
```yaml
registries:
@ -831,6 +874,7 @@ registries:
password: ${{secrets.ECR_AWS_SECRET_ACCESS_KEY}}
```
{% endraw %}
{% endif %}
### `git`
@ -885,7 +929,19 @@ registries:
### `maven-repository`
The `maven-repository` type supports username and password.
{% ifversion dependabot-private-registries %}
{% raw %}
```yaml
registries:
maven-artifactory:
type: maven-repository
url: https://artifactory.example.com
username: octocat
password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
replaces-base: true
```
{% endraw %}
{% else %}
{% raw %}
```yaml
registries:
@ -895,14 +951,38 @@ registries:
username: octocat
password: ${{secrets.MY_ARTIFACTORY_PASSWORD}}
```
{% endraw %}
{% endraw %}{% endif %}
### `npm-registry`
The `npm-registry` type supports username and password, or token.
When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password.
When using username and password, your `.npmrc`'s auth token may contain a `base64` encoded `_password`; however, the password referenced in your {% data variables.product.prodname_dependabot %} configuration file must be the original (unencoded) password.
{% ifversion dependabot-private-registries %}
{% raw %}
```yaml
registries:
npm-npmjs:
type: npm-registry
url: https://registry.npmjs.org
username: octocat
password: ${{secrets.MY_NPM_PASSWORD}} # Must be an unencoded password
replaces-base: true
```
{% endraw %}
{% raw %}
```yaml
registries:
npm-github:
type: npm-registry
url: https://npm.pkg.github.com
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
replaces-base: true
```
{% endraw %}
{% else %}
{% raw %}
```yaml
registries:
@ -922,7 +1002,7 @@ registries:
url: https://npm.pkg.github.com
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
```
{% endraw %}
{% endraw %} {% endif %}
{% ifversion dependabot-yarn-v3-update %}
For security reasons, {% data variables.product.prodname_dependabot %} does not set environment variables. Yarn (v2 and later) requires that any accessed environment variables are set. When accessing environment variables in your `.yarnrc.yml` file, you should provide a fallback value such as {% raw %}`${ENV_VAR-fallback}`{% endraw %} or {% raw %}`${ENV_VAR:-fallback}`{% endraw %}. For more information, see [Yarnrc files](https://yarnpkg.com/configuration/yarnrc) in the Yarn documentation.{% endif %}
@ -984,6 +1064,30 @@ registries:
The `rubygems-server` type supports username and password, or token.
{% ifversion dependabot-private-registries %}
{% raw %}
```yaml
registries:
ruby-example:
type: rubygems-server
url: https://rubygems.example.com
username: octocat@example.com
password: ${{secrets.MY_RUBYGEMS_PASSWORD}}
replaces-base: true
```
{% endraw %}
{% raw %}
```yaml
registries:
ruby-github:
type: rubygems-server
url: https://rubygems.pkg.github.com/octocat/github_api
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
replaces-base: true
```
{% endraw %}
{% else %}
{% raw %}
```yaml
registries:
@ -1003,7 +1107,7 @@ registries:
url: https://rubygems.pkg.github.com/octocat/github_api
token: ${{secrets.MY_GITHUB_PERSONAL_TOKEN}}
```
{% endraw %}
{% endraw %}{% endif %}
### `terraform-registry`

349
content/code-security/dependabot/working-with-dependabot/configuring-dependabot-to-only-access-private-registries.md Normal file
Просмотреть файл

@ -0,0 +1,349 @@
---
title: Configuring Dependabot to only access private registries
intro: 'Examples of how you can configure {% data variables.product.prodname_dependabot %} to only access private registries by removing calls to public registries.'
permissions: 'People with write permissions to a repository can configure {% data variables.product.prodname_dependabot %} for the repository.'
miniTocMaxHeadingLevel: 3
versions:
feature: dependabot-private-registries
type: how_to
topics:
- Dependabot
- Version updates
shortTitle: Configure Dependabot to only access private registries
---
## About configuring {% data variables.product.prodname_dependabot %} to only access private registries
You can configure {% data variables.product.prodname_dependabot %} to only access private registries by removing calls to public registries. This can only be configured for the ecosystems listed in this article.
## Bundler
To configure the Bundler ecosystem to only access private registries, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server)."
The Bundler ecosystem additionally requires a `Gemfile` file with the private registry URL to be checked into the repository.
```yaml
# Example Gemfile
source "https://private_registry_url"
```
## Docker
To configure the Docker ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Define the private registry configuration in a `dependabot.yml` file without `replaces-base`. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)."
{% note %}
**Note:** remove `replaces-base: true` from the configuration file.
{% endnote %}
```yaml
version: 2
registries:
azuretestregistry: # Define access for a private registry
type: docker-registry
url: firewallregistrydep.azurecr.io
username: firewallregistrydep
password: ${{secrets.AZUREHUB_PASSWORD}}
```
In the `Dockerfile` file, add the image name in the format of `IMAGE[:TAG]`, where `IMAGE` consists of your username and the name of the repository.
```yaml
FROM firewallregistrydep.azurecr.io/myreg/ubuntu:18.04
```
**Option 2**
Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker-registry)." The registry configured with the `replaces-base` can be used as a mirror or a pull through cache. For further details, see [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/) in the Docker documentation.
## Gradle
To configure the Gradle ecosystem to only access private registries, you can use these configuration methods.
Define the private registry configuration in a dependabot.yml file. For more information, see “[Configuration options for the dependabot.yml file](https://github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository).”
{% note %}
Note: remove replaces-base: true from the configuration file.
{% endnote %}
Additionally, you also need to specify the private registry URL in the `repositories` section of the `build.gradle` file.
```groovy
# Example build.gradle file
repositories {
maven {
url "https://private_registry_url"
}
}
```
## Maven
To configure the Maven ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#maven-repository)."
**Option 2**
Use only the private registry URL in the `pom.xml` file.
```xml
<project>
...
<repositories>
<repository>
<id>central</id>
<name>your custom repo</name>
<url>https://private_registry_url</url>
</repository>
...
</project>
```
## Node
### npm
To configure the npm ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** remove `replaces-base: true` from the configuration file.
{% endnote %}
The npm ecosystem additionally requires a `.npmrc` file with the private registry URL to be checked into the repository.
```yaml
registry=https://private_registry_url
```
**Option 2**
If there is no global registry defined in an `.npmrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the `dependabot.yml` file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`.
{% endnote %}
### Yarn
Yarn Classic and Yarn Berry private registries are both supported by {% data variables.product.prodname_dependabot %}, but {% data variables.product.prodname_dependabot %} requires a different configuration for each ecosystem to access only private registries.
#### Yarn Classic
To configure the Yarn Classic ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** Delete `replaces-base: true` from the configuration file.
{% endnote %}
To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the `resolved` field to include the private registry URL.
```yaml
encoding@^0.1.11:
version "0.1.13"
resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
dependencies:
iconv-lite "^0.6.2"
```
**Option 2**
If the `yarn.lock` file doesn't list the private registry as the dependency source, you can set up Yarn Classic according to the normal package manager instructions:
1. Define the private registry configuration in a `dependabot.yml` file
2. Add the registry to a `.yarnrc` file in the project root with the key registry. Alternatively run `yarn config set registry <private registry URL>`.
```yaml
registry https://private_registry_url
```
**Option 3**
If there is no global registry defined in a `.yarnrc` file, you can set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.npmrc` file. To define private registries for individual scopes, use `@myscope:registry=https://private_registry_url`.
{% endnote %}
#### Yarn Berry
To configure the Yarn Berry ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** Delete `replaces-base: true` from the configuration file.
{% endnote %}
To ensure the private registry is listed as the dependency source in the project's `yarn.lock` file, run `yarn install` on a machine with private registry access. Yarn should update the `resolved` field to include the private registry URL.
{% raw %}
```yaml
encoding@^0.1.11:
version "0.1.13"
resolved "https://private_registry_url/encoding/-/encoding-0.1.13.tgz#56574afdd791f54a8e9b2785c0582a2d26210fa9"
integrity sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==
dependencies:
iconv-lite "^0.6.2"
```
{% endraw %}
**Option 2**
If the `yarn.lock` file doesn't list the private registry as the dependency source, you can set up Yarn Berry according to the normal package manager instructions:
1. Define the private registry configuration in a `dependabot.yml` file
2. Add the registry to a `.yarnrc.yml` file in the project root with the key `npmRegistryServer`. Alternatively run `yarn config set npmRegistryServer <private registry URL>`.
```
npmRegistryServer: "https://private_registry_url"
```
{% note %}
**Note:** For scoped dependencies (`@my-org/my-dep`), {% data variables.product.prodname_dependabot %} requires that the private registry is defined in the project's `.yarnrc` file. To define private registries for individual scopes, use `"@myscope:registry" "https://private_registry_url"`.
{% endnote %}
## Nuget
To allow the Nuget ecosystem to only access private registries, you can configure the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed)."
The Nuget ecosystem additionally requires a `nuget.config` file to be checked into the repository, with either a `< clear />` tag in `<packageSources>` section or a key `nuget.org` as true in the `disabledPackageSources` section of the `nuget.config` file.
This is an example of a `< clear />` tag in the `packageSources` section of the `nuget.config`.
```xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
< clear />
<add key="example-nuget" value="https://private_registry_url/nuget/example-nuget/index.json" />
</packageSources>
</configuration>
```
This is an example of adding key `nuget.org` as true to the `disabledPackageSources` section of the `nuget.config`
```xml
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<add key="example-nuget" value="https://private_registry_url/nuget/example-nuget/index.json" />
</packageSources>
<disabledPackageSources>
<add key="nuget.org" value="true" />
</disabledPackageSources>
</configuration>
```
## Python
Pip, Pip-compile, Pipenv, and Poetry are the four package managers that the Python ecosystem currently supports.
### Pip
To configure the Pip ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** Delete `replaces-base: true` from the configuration file.
{% endnote %}
Add the private registry URL to the `[global]` section of the `pip.conf` file and check the file into the repository.
```yaml
[global]
timeout = 60
index-url = https://private_registry_url
```
**Option 2**
Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)."
### Pip-compile
To configure the Pip-compile ecosystem to only access private registries, you can use these configuration methods.
**Option 1**
Set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)."
**Option 2**
Define the private registry configuration in a `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#npm-registry)."
{% note %}
**Note:** Delete `replaces-base: true` from the configuration file.
{% endnote %}
Add the private registry URL to the `requirements.txt` file and check the file into the repository.
```yaml
--index-url https://private_registry_url
```
### Pipenv
To configure Pipenv to only access private registries, remove `replaces-base` from the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)."
{% note %}
**Note:** Delete `replaces-base: true` from the configuration file.
{% endnote %}
Add the private registry URL to the `[[source]]` section of the `Pipfile` file and check the file into the repository.
```yaml
[[source]]
url = "https://private_registry_url"
verify_ssl = true
name = "pypi"
```
### Poetry
To configure Poetry to only access private registries, set `replaces-base` as `true` in the `dependabot.yml` file. For more information, see "[Configuration options for the dependabot.yml file](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)."
Add the private registry url to the `[[tool.poetry.source]]` section of the `pyproject.toml` file and checked it in the repository.
```yaml
[[tool.poetry.source]]
name = "private"
url = "https://private_registry_url"
default = true
```

1
content/code-security/dependabot/working-with-dependabot/index.md
Просмотреть файл

@ -18,6 +18,7 @@ children:
- /automating-dependabot-with-github-actions
- /keeping-your-actions-up-to-date-with-dependabot
- /managing-encrypted-secrets-for-dependabot
- /configuring-dependabot-to-only-access-private-registries
- /troubleshooting-the-detection-of-vulnerable-dependencies
- /troubleshooting-dependabot-errors
---

5
data/features/dependabot-private-registries.yml Normal file
Просмотреть файл

@ -0,0 +1,5 @@
# Reference: Issue #8535 Dependabot does not access public registries when the user has configured private registries
versions:
fpt: '*'
ghec: '*'
ghes: '>=3.8'