Working with any of Maven or Gradle in your Java, Kotlin and Scala applications?
Recently heard of any supply chain attacks, account takeovers or malicious dependencies? Yeah, almost daily...
It's more important than ever to keep track of your software composition and the risks you're exposed to. And better yet - stay in control of your dependencies with a private registry and stay secure.
Continue reading to add security to your supply chain using Bytesafe and stay in control of what dependencies you use.
By the way, creating a hosted private Maven repository is FREE!
Why use a private repository?
There are many benefits of using a private regisrtry. For example, using a private registry is the right way to go if you want to lower your business risk and:
- Want a central hub to host all your dependencies - private and public ones.
- Continuously want to monitor packages for vulnerabilities or license issues.
- Require a dependency firewall that can control and block unwanted packages from entering your supply chain.
A private and hosted repository allows you to focus on your code and can get started without having to think of and plan for infrastructure, capacity management, maintenance etc.
How to set up a private repository with minimal effort?
Great! You’ve decided you need a private repository and want to get going.
These steps will let you get your own private repository using Bytesafe:
1. Create a Bytesafe Workspace
First create your own workspace by signing up.
Just select the workspace name that you would like to use.
When you have created your account you can access your workspace by using the workspace name you’ve just create: https://<workspace>.bytesafe.dev
2. Sign in to your Workspace
Use your GitHub, Google, Microsoft login or sign in using email and password.
Congratulations! You now have access to your first private repository called "default". It's ready to be used. You can also create more registries with support for other ecosystems (npm, nuget) - quick and easy!
If your organization prefers integrating using SAML for Single Sign-On, that is supported too.
3. Configure Maven to use Bytesafe as a Proxy
Bytesafe private Maven registries allow users to both deploy internal Maven artifacts and proxy public packages from Maven repositories.
A single source for all Maven compatible packages required by your teams and CI/CD pipelines.
Configuration details are described here, but the simple steps you need to take are:
- Create and add an access token to your
settings.xml
- Point out your Bytesafe Maven repository (
settings.xml
/pom.xml
) - Now continue to use Maven or Gradle like you're used to - but with the benefit of having Bytesafe as your Dependency Firewall with secure dependencies.
What's a Dependency Firewall for Maven packages?
The Bytesafe Dependency Firewall works with different package types, including Maven packages. The Dependency Firewall adds significant security to an organization’s supply chain while at the same time being transparent and easy to use for developers.
All new registries have Vulnerability Scanner and License Compliance enabled by default. Users can enable automatic quarantine of serious threats, preventing them from compromising your organization.
Want to protect developers and automated environments from unintentionally adding newly released (and potentially malicious) dependencies? Customize the safety delays for your repository, allowing new versions to mature and be vetted by the community before use.
That's it!
You have just added a layer of security with your first hosted private repository where packages are continuously scanned for vulnerabilities and license issues. Hope you'll enjoy your private registries!
From here you can create more registries, enable plugins and policies to get the right level of control that you require and optionally you can invite new team members which is a premium feature (as you'll have free trial of the Teams plan).
Have any questions or suggestions on features that you would like to see? Comment below or contact us on Twitter @bytesafedev.
Top comments (0)