Improve the safety of your software program provide chain with Amazon CodeArtifact package deal group configuration


Voiced by Polly

Starting at this time, directors of package deal repositories can handle the configuration of a number of packages in a single single place with the brand new AWS CodeArtifact package deal group configuration functionality. A package deal group permits you to outline how packages are up to date by inside builders or from upstream repositories. You can now permit or block inside builders to publish packages or permit or block upstream updates for a gaggle of packages.

CodeArtifact is a completely managed package deal repository service that makes it straightforward for organizations to securely retailer and share software program packages used for software growth. You can use CodeArtifact with fashionable construct instruments and package deal managers comparable to NuGet, Maven, Gradle, npm, yarn, pip, twine, and the Swift Package Manager.

CodeArtifact helps on-demand importing of packages from public repositories comparable to,, and This permits your group’s builders to fetch all their packages from one single supply of reality: your CodeArtifact repository.

Simple purposes routinely embrace dozens of packages. Large enterprise purposes might need a whole bunch of dependencies. These packages assist builders pace up the event and testing course of by offering code that solves widespread programming challenges comparable to community entry, cryptographic capabilities, or knowledge format manipulation. These packages may be produced by different groups in your group or maintained by third events, comparable to open supply tasks.

To decrease the dangers of provide chain assaults, some organizations manually vet the packages which can be accessible in inside repositories and the builders who’re licensed to replace these packages. There are 3 ways to replace a package deal in a repository. Selected builders in your group would possibly push package deal updates. This is usually the case in your group’s inside packages. Packages may also be imported from upstream repositories. An upstream repository may be one other CodeArtifact repository, comparable to a company-wide supply of authorized packages or exterior public repositories providing fashionable open supply packages.

Here is a diagram displaying completely different potentialities to reveal a package deal to your builders.

CodeArtifact Multi Repository

When managing a repository, it’s essential to outline how packages might be downloaded and up to date. Allowing package deal set up or updates from exterior upstream repositories exposes your group to typosquatting or dependency confusion assaults, for instance. Imagine a nasty actor publishing a malicious model of a widely known package deal below a barely completely different identify. For instance, as a substitute of coffee-script, the malicious package deal is cofee-script, with just one “f.” When your repository is configured to permit retrieval from upstream exterior repositories, all it takes is a distracted developer working late at night time to kind npm set up cofee-script as a substitute of npm set up coffee-script to inject malicious code into your methods.

CodeArtifact defines three permissions for the three doable methods of updating a package deal. Administrators can permit or block set up and updates coming from inside publish instructions, from an inside upstream repository, or from an exterior upstream repository.

Until at this time, repository directors needed to handle these essential safety settings package deal by package deal. With at this time’s replace, repository directors can outline these three safety parameters for a gaggle of packages directly. The packages are recognized by their kind, their namespace, and their identify. This new functionality operates on the area degree, not the repository degree. It permits directors to implement a rule for a package deal group throughout all repositories of their area. They don’t have to take care of package deal origin controls configuration in each repository.

Let’s see intimately the way it works
Imagine that I handle an inside package deal repository with CodeArtifact and that I need to distribute solely the variations of the AWS SDK for Python, also called boto3, which were vetted by my group.

I navigate to the CodeArtifact web page within the AWS Management Console, and I create a python-aws repository that can serve vetted packages to inside builders.

CodeArtifact - Create a repo

This creates a staging repository along with the repository I created. The exterior packages from pypi will first be staged within the pypi-store inside repository, the place I’ll confirm them earlier than serving them to the python-aws repository. Here is the place my builders will hook up with obtain them.

CodeArtifact - Create a repo - package flowBy default, when a developer authenticates towards CodeArtifact and kinds pip set up boto3, CodeArtifact downloads the packages from the general public pypi repository, levels them on pypi-store, and copies them on python-aws.

CodeArtifact - pip installCodeArtifact - list of packages after a pip install

Now, think about I need to block CodeArtifact from fetching package deal updates from the upstream exterior pypi repository. I would like python-aws to solely serve packages that I authorized from my pypi-store inside repository.

With the brand new functionality that we launched at this time, I can now apply this configuration for a gaggle of packages. I navigate to my area and choose the Package Groups tab. Then, I choose the Create Package Group button.

I enter the Package group definition. This expression defines what packages are included on this group. Packages are recognized utilizing a mix of three elements: package deal format, an elective namespace, and identify.

Here are just a few examples of patterns that you should utilize for every of the allowed combos:

  • All package deal codecs: /*
  • A selected package deal format: /npm/*
  • Package format and namespace prefix: /maven/
  • Package format and namespace: /npm/aws-amplify/*
  • Package format, namespace, and identify prefix: /npm/aws-amplify/ui~
  • Package format, namespace, and identify: /maven/org.apache.logging.log4j/log4j-core$

I invite you to learn the documentation to study all the probabilities.

In my instance, there isn’t any idea of namespace for Python packages, and I would like the group to incorporate all packages with names beginning with boto3 coming from pypi. Therefore, I write /pypi//boto3~.

CodeArtifact - package group definition

Then, I outline the safety parameters for my package deal group. In this instance, I don’t need my group’s builders to publish updates. I additionally don’t need CodeArtifact to fetch new variations from the exterior upstream repositories. I need to authorize solely package deal updates from my inside staging listing.

I uncheck all Inherit from father or mother group containers. I choose Block for Publish and External upstream. I go away Allow on Internal upstream. Then, I choose Create Package Group.

CodeArtifact - package group security configuration

Once outlined, builders are unable to put in completely different package deal variations than those licensed within the python-aws repository. When I, as a developer, attempt to set up one other model of the boto3 package deal, I obtain an error message. This is predicted as a result of the newer model of the boto3 package deal isn’t accessible within the upstream staging repo, and there’s block rule that stops fetching packages or package deal updates from exterior upstream repositories.

Code ARtifact - installation is denied when using a package version not already present in the repository

Similarly, let’s think about your administrator needs to guard your group from dependency substitution assaults. All your inside Python package deal names begin together with your firm identify (mycompany). The administrator needs to dam builders for by chance downloading from packages that begin with mycompany.

Administrator creates a rule with the sample /pypi//mycompany~ with publish=permit, exterior upstream=block, and inside upstream=block. With this configuration, inside builders or your CI/CD pipeline can publish these packages, however CodeArtifact won’t import any packages from that begin with mycompany, comparable to or This prevents dependency substitution assaults for these packages.

Package teams can be found in all AWS Regions the place CodeArtifact is offered, at no further price. It lets you higher management how packages and package deal updates land in your inside repositories. It helps to forestall varied provide chain assaults, comparable to typosquatting or dependency confusion. It’s one further configuration that you may add at this time into your infrastructure-as-code (IaC) instruments to create and handle your CodeArtifact repositories.

Go and configure your first package deal group at this time.

— seb


Please enter your comment!
Please enter your name here