A how to guide on using a secure and private NuGet package source for your .NET dependencies in Visual Studio and JetBrains Rider.
.NET, the Microsoft supported open source framework, is celebrating 20 years! And wow, has there been a lot of changes in .NET and software development in general in those 20 years.
Where before every piece of code and functionality needed to be produced in-house, there are now millions of available packages in central repositories for users to consume — with obvious efficiency advantages.
NuGet, the package manager for .NET, allow developers to easily share and consume reusable packages dependencies for their C#
, F#
and Visual Basic .NET
applications. With nuget.org providing easy access to over 4 millions versions, both from Microsoft and open source developers.
But using more and more open source components also puts advanced requirements on keeping control over the code used. With security attacks targeting the open source software supply chain increased by 650% in 2021 alone it is more important than ever for organizations to protect the software they build — and every developer environment, CI/CD system and server.
Need a private NuGet feed for both internal .NET packages and public dependencies? Bytesafe feeds are cloud hosted, and compatible with Visual Studio, JetBrains Rider and the NuGet CLI. You can get started instantly and build your projects securely with the tools of your choice.
Four reasons to use a private NuGet feed
A private NuGet source is a necessity for sharing internal packages and code in many organizations. But a private source also allows for control and help keep unwanted dependencies out.
- Secure source for open source dependencies: Don’t allow free entry for untrusted code from public sources. Include approved dependencies, according to your rules.
- Share internal packages: Authorized and personal access to your organization’s private packages.
- Cache/proxy public packages: Don’t depend directly on public repositories like nuget.org. Make sure your organization’s packages are always available when you need them.
- Enforce security policies: Scan for vulnerabilities and automatically block access to unwanted and untrusted dependencies.
Getting started with a private NuGet feed
Using a private NuGet feed instead of the default package source is easy. With some simple config you can have your IDE’s like Visual Studio and JetBrains Rider fetch dependencies from a private feed in place of nuget.org.
On top of IDE support the nuget package management tool has full support for private feeds, both as a target when deploying packages or as a package source for dependencies.
These steps assume users have access to a Bytesafe workspace. If not — Sign up for Bytesafe today for free.
Create a NuGet feed
To get started you need to create a NuGet registry (the Bytesafe equivalent of a feed or repository) and configure access to it in your client of choice.
After you have created your NuGet registry, you need to add a package source to your configuration.
Create an access token in Bytesafe and add it together with the registry URL to your list of approved package sources. The access token ensures only intended users have access to packages stored in Bytesafe.
Visual Studio & JetBrains Rider users can do this directly in the NuGet package tool in their IDE (see sections on IDE integrations for more details). CLI users can alternatively add the package source using nuget.
# Add the URL, username and access token (password) to your nuget sources
$ nuget sources add -Name {REGISTRY} -Source https://{WORKSPACE}.bytesafe.dev/nuget/{REGISTRY}/index.json -Username bytesafe -Password {TOKEN}
Bytesafe provides contextual and copy-paste ready instructions on how to access your private NuGet feed.
The package source information will be added to the NuGet.Config
file (used by both nuget and IDE’s). For more information on sources and the NuGet config file, see NuGet in the Bytesafe documentation.
Publish a NuGet package
NuGet packages can be added to your private NuGet feed using nuget push
or by uploading the package files manually.
# To publish packages using nuget set an apikey for the source
$ nuget setapikey {TOKEN} -Source {REGISTRY}
…
With your source configured you can publish packages to your private feed for other internal developers or CI/CD to access.
# Create a nuget package according to project files
$ nuget pack
…
# Publish package to registry using nuget. Replace {REGISTRY} with source name
$ nuget push {PACKAGE} -Source {REGISTRY}
…
Restoring NuGet project dependencies
With the public NuGet Gallery (nuget.org) configured as an upstream, Bytesafe will proxy public dependencies and pull any required (and allowed) version into your private NuGet feed.
To make sure security features are not bypassed it’s recommended to disable nuget.org as a package source in the NuGet.Config (the package manager fetches packages from all enabled sources).
# Disable nuget.org as a package source
$ nuget sources disable -Name nuget.org
…
There are multiple ways to specify project dependencies. I prefer package references (<PackageReference>
) in the project file (.csproj
).
<! — Example package reference in .csproj file -->
<ItemGroup>
<! — … -->
<PackageReference Include=”Newtonsoft.Json” Version=”13.0.1" />
<! — … -->
</ItemGroup>
With project dependencies added to the project, run the nuget restore
command to restore project dependencies.
# Restore package dependencies from Bytesafe
$ nuget restore -Source {REGISTRY}
Most IDE’s restore project dependencies by default on project startup or when detecting changes.
Using Visual Studio with your private NuGet feed
Visual Studio is an integral part of the .NET ecosystem and the default IDE for many .NET developers.
Private NuGet registries can easily be integrated as a package source in Visual Studio. Pre-existing NuGet.Config files will be identified by Visual Studio and used to configure package sources for NuGet Package Manager.
Adding a source manually inside Visual Studio
Add the Name, URL and credentials for the registry as the source in the Visual Studio configuration. Access Package Sources in the options (Windows: NuGet Package Manager > Package Sources / Mac: NuGet > Sources).
With the source added, packages are automatically able to be restored and updated in Visual Studio using your Bytesafe NuGet registry.
Any packages available in the private feed will also be available to browse and search in Visual Studio.
Visual Studio Code and some distribution of Visual Studio manage private sources using the nuget cli.
Using JetBrains Rider with your private NuGet feed
JetBrains Rider is the main alternative to Visual Studio for many teams. Like with Visual Studio, private NuGet feeds are easily integrated as a package source for JetBrains Rider.
It’s recommended for users to add Bytesafe as a new package source directly in JetBrains Rider to avoid conflicts. Some distributions lack support for encrypted passwords from NuGet.Config.
Adding a source manually inside JetBrains Rider
Add the Name, URL and credentials for the new feed in the NuGet Sources configuration.
Access the NuGet Tool window from the bottom toolbar or by right-clicking any project dependency and select Manage NuGet Packages.
With the new source added, packages are able to be browsed, restored and updated in Rider using your private NuGet server.
Want to know more about Bytesafe private NuGet feeds?
Visit Bytesafe for NuGet /.NET to learn more.
Want to know more about secure supply chains — read more about our firewall for dependencies.
Want to try Bytesafe? Sign up and get started today for free.
Top comments (1)
Interested in Java and Maven repositories, see my previous post on: dev.to/sumstrm/time-for-secure-dep...
Looking for private and secure npm registries? dev.to/sumstrm/why-you-should-host...
We also offer a range of unique security features, like the customizable delay before newly published versions are allowed for your organization: dev.to/sumstrm/update-dependencies...