July 24, 2024
Enhance the safety of your software program provide chain with Amazon CodeArtifact package deal group configuration
Voiced by Polly

Beginning immediately, directors of package deal repositories can handle the configuration of a number of packages in a single single place with the brand new AWS CodeArtifact package deal group configuration functionality. A package deal group lets you outline how packages are up to date by inside builders or from upstream repositories. Now you can enable or block inside builders to publish packages or enable or block upstream updates for a bunch of packages.

CodeArtifact is a totally managed package deal repository service that makes it straightforward for organizations to securely retailer and share software program packages used for software growth. You need to use CodeArtifact with in style construct instruments and package deal managers reminiscent of NuGet, Maven, Gradle, npm, yarn, pip, twine, and the Swift Package Manager.

CodeArtifact helps on-demand importing of packages from public repositories reminiscent of npmjs.com, maven.org, and pypi.org. This permits your group’s builders to fetch all their packages from one single supply of fact: your CodeArtifact repository.

Easy purposes routinely embrace dozens of packages. Giant enterprise purposes might need tons of of dependencies. These packages assist builders pace up the event and testing course of by offering code that solves widespread programming challenges reminiscent of community entry, cryptographic features, or knowledge format manipulation. These packages is perhaps produced by different groups in your group or maintained by third events, reminiscent of open supply initiatives.

To attenuate the dangers of provide chain assaults, some organizations manually vet the packages which are accessible in inside repositories and the builders who’re approved to replace these packages. There are 3 ways to replace a package deal in a repository. Chosen builders in your group would possibly push package deal updates. That is usually the case to your group’s inside packages. Packages may additionally be imported from upstream repositories. An upstream repository is perhaps one other CodeArtifact repository, reminiscent of a company-wide supply of accepted packages or exterior public repositories providing in style open supply packages.

Here’s a diagram displaying totally different potentialities to show a package deal to your builders.

CodeArtifact Multi Repository

When managing a repository, it’s essential to outline how packages could be downloaded and up to date. Permitting package deal set up or updates from exterior upstream repositories exposes your group to typosquatting or dependency confusion assaults, for instance. Think about a foul actor publishing a malicious model of a well known package deal underneath a barely totally different identify. For instance, as an alternative of coffee-script, the malicious package deal is cofee-script, with just one “f.” When your repository is configured to permit retrieval from upstream exterior repositories, all it takes is a distracted developer working late at evening to kind npm set up cofee-script as an alternative of npm set up coffee-script to inject malicious code into your methods.

CodeArtifact defines three permissions for the three potential methods of updating a package deal. Directors can enable or block set up and updates coming from inside publish instructions, from an inside upstream repository, or from an exterior upstream repository.

Till immediately, repository directors needed to handle these necessary safety settings package deal by package deal. With immediately’s replace, repository directors can outline these three safety parameters for a bunch of packages directly. The packages are recognized by their kind, their namespace, and their identify. This new functionality operates on the area stage, not the repository stage. It permits directors to implement a rule for a package deal group throughout all repositories of their area. They don’t have to keep up package deal origin controls configuration in each repository.

Let’s see intimately the way it works
Think about that I handle an inside package deal repository with CodeArtifact and that I need to distribute solely the variations of the AWS SDK for Python, often known as boto3, which have been vetted by my group.

I navigate to the CodeArtifact web page within the AWS Administration Console, and I create a python-aws repository that may serve vetted packages to inside builders.

CodeArtifact - Create a repo

This creates a staging repository along with the repository I created. The exterior packages from pypi will first be staged within the pypi-store inside repository, the place I’ll confirm them earlier than serving them to the python-aws repository. Right here is the place my builders will hook up with obtain them.

CodeArtifact - Create a repo - package flowBy default, when a developer authenticates towards CodeArtifact and kinds pip set up boto3, CodeArtifact downloads the packages from the general public pypi repository, levels them on pypi-store, and copies them on python-aws.

CodeArtifact - pip installCodeArtifact - list of packages after a pip install

Now, think about I need to block CodeArtifact from fetching package deal updates from the upstream exterior pypi repository. I need python-aws to solely serve packages that I accepted from my pypi-store inside repository.

With the brand new functionality that we launched immediately, I can now apply this configuration for a bunch of packages. I navigate to my area and choose the Package deal Teams tab. Then, I choose the Create Package deal Group button.

I enter the Package deal group definition. This expression defines what packages are included on this group. Packages are recognized utilizing a mixture of three elements: package deal format, an non-compulsory namespace, and identify.

Listed here are a couple of examples of patterns that you need to use for every of the allowed combos:

  • All package deal codecs: /*
  • A particular package deal format: /npm/*
  • Package deal format and namespace prefix: /maven/com.amazon~
  • Package deal format and namespace: /npm/aws-amplify/*
  • Package deal format, namespace, and identify prefix: /npm/aws-amplify/ui~
  • Package deal format, namespace, and identify: /maven/org.apache.logging.log4j/log4j-core$

I invite you to learn the documentation to study all the probabilities.

In my instance, there isn’t a idea of namespace for Python packages, and I need the group to incorporate all packages with names beginning with boto3 coming from pypi. Subsequently, I write /pypi//boto3~.

CodeArtifact - package group definition

Then, I outline the safety parameters for my package deal group. On this instance, I don’t need my group’s builders to publish updates. I additionally don’t need CodeArtifact to fetch new variations from the exterior upstream repositories. I need to authorize solely package deal updates from my inside staging listing.

I uncheck all Inherit from guardian group containers. I choose Block for Publish and Exterior upstream. I depart Enable on Inner upstream. Then, I choose Create Package deal Group.

CodeArtifact - package group security configuration

As soon as outlined, builders are unable to put in totally different package deal variations than those approved within the python-aws repository. Once I, as a developer, attempt to set up one other model of the boto3 package deal, I obtain an error message. That is anticipated as a result of the newer model of the boto3 package deal is just not accessible within the upstream staging repo, and there may be block rule that forestalls fetching packages or package deal updates from exterior upstream repositories.

Code ARtifact - installation is denied when using a package version not already present in the repository

Equally, let’s think about your administrator desires to guard your group from dependency substitution assaults. All of your inside Python package deal names begin together with your firm identify (mycompany). The administrator desires to dam builders for by chance downloading from pypi.org packages that begin with mycompany.

Administrator creates a rule with the sample /pypi//mycompany~ with publish=enable, exterior upstream=block, and inside upstream=block. With this configuration, inside builders or your CI/CD pipeline can publish these packages, however CodeArtifact is not going to import any packages from pypi.org that begin with mycompany, reminiscent of mycompany.foo or mycompany.bar. This prevents dependency substitution assaults for these packages.

Package deal teams can be found in all AWS Areas the place CodeArtifact is offered, at no extra price. It lets you higher management how packages and package deal updates land in your inside repositories. It helps to forestall numerous provide chain assaults, reminiscent of typosquatting or dependency confusion. It’s one extra configuration which you can add immediately into your infrastructure-as-code (IaC) instruments to create and handle your CodeArtifact repositories.

Go and configure your first package deal group immediately.

— seb