Skip to main content

Configure an artifact repository

Package Firewall supports configuration of Artifactory and Nexus repositories.

Configure Artifactory

Artifactory supports both local and remote repositories. Local repositories store and serve internal packages, while remote repositories retrieve packages from external sources, such as third-party repositories. For example, in the Python ecosystem, PyPI is a remote repository that your Artifactory instance can access.

The Package Firewall acts as a remote repository that proxies requests to the actual package registry, such as PyPI or npm. It ensures that any packages entering your organization’s Artifactory comply with the defined policy for acceptable use of open-source libraries and packages.

Create a new remote repository

Follow the steps below to create a remote repository for Package Firewall.

To complete this task:

  1. Sign in to Artifactory.
  2. To create a remote repository for Package Firewall, navigate to Repositories > Administration, then at the top-right corner, select Create a Repository, and select Remote.
  3. Select the package repository to apply the Package Firewall policy. See current Package Firewall supported ecosystems here.
  4. To provide a name for your remote repository, enter a name in the Repository Key field.
  5. In the User Name field, enter Veracode.
  6. In the Password/Access Token field, enter the Package Firewall access token.
  7. In the URL field, enter the Veracode registry URL for your ecosystem.
  8. Under the Advanced tab, select the checkbox next to Lenient Host Authentication. This setting ensures that redirects (for example, HTTP 301) are allowed and that repository requests succeed.

Update a virtual repository

Virtual repositories in Artifactory overlay all local and remote repositories, providing a single host for configuration. This makes the decision-making process for pulling a package from your local or remote artifacts opaque to the end user.

After you create a remote repository for the Package Firewall, update your virtual repository to use it.

To complete this task:

  1. Sign in to Artifactory.
  2. Navigate to Repositories > Administration and locate your virtual repository. Select the virtual repository you want to update.
  3. In your virtual repository, navigate to Repositories. You’ll see several repositories listed in the following format.
  4. To remove the existing remote, under the Selected Repositories section, select the checkbox next to the remote repository name and select the green arrows that point to the left.
  5. To add your Package Firewall remote repository, under the Available Repositories section, select the checkbox next to the remote repository name and select the green arrows that point to the right.
  6. To save your settings, at the bottom right of the screen, select Save.

Configure Nexus repository

Nexus Repository supports both hosted and proxy repositories. Hosted repositories store and serve internal packages, while proxy repositories retrieve packages from external sources such as third-party registries. For example, in the Python ecosystem, PyPI is a proxy repository that your Nexus Repository instance can access.

The Package Firewall acts as a remote repository that proxies requests to the actual package registry, such as PyPI or npm. It ensures that all packages entering your organization’s Nexus Repository comply with the defined policy for acceptable use of open-source libraries and packages.

Create a new proxy repository

Follow the steps below to create a local repository for Package Firewall.

To complete this task:

  1. Sign in to Nexus Repository.
  2. To create a proxy repository for Package Firewall, select the gear icon to open the admin UI, select Repositories, and then Create Repository.
  3. Select the proxy version of the package repository to which you want to apply the policy. See the current Package Firewall supported ecosystems.
  4. To provide a name for your proxy repository, enter a name in the Name field.
  5. In the Remote storage field, enter the Package Firewall registry URL for the ecosystem you're configuring.
  6. Reduce the values in the Maximum metadata age and Not found cache TTL fields. With the default value of 1440 minutes, changes to whether a package is allowed or blocked by policy might take up to an additional day.
  7. In the HTTP section, turn on username authentication.
  8. In the Username field, enter Veracode. In the Password field, enter the Package Firewall access token.

Update a group repository

Group repositories in Nexus Repository combine all hosted and proxy repositories, giving you a single host to use in your configuration. This approach simplifies package retrieval for end users by abstracting whether artifacts come from hosted or proxy sources.

After you create a proxy repository for the Package Firewall, update your group repository to use it.

  1. Sign in to Nexus Repository.
  2. To update a repository, select the gear icon to open the admin UI, then select Repositories. Select the repository to update.
  3. In your group repository, navigate to Member repositories.
  4. To remove the existing proxy, under the Members section, select the proxy and select the arrow pointing to the left.
  5. To add your Package Firewall proxy repository, under the Available section, select the proxy repository and select the arrow pointing to the right.
  6. To save your settings, at the bottom of the screen, select Save.
Last updated on