Add Private Registries to Prisma Cloud Code Security
Integrating Private Registries with Prisma Cloud enables you to build an accurate dependency tree of the packages in your private registries. Using an
Artifactory
for integration ensures you have visibility into packages of your private registry and fix suggestions for vulnerabilities found in indirect packages.
To remediate vulnerabilities found on Private registries see results and fix suggestions on Projects
. Alternatively, you can make an informed decision by seeing the scan results on Supply Chain
, where the graph displays the dependency tree based on the integration.Currently, Prisma Cloud Code Security supports one Artifactory integration, one registry per package manager and is limited to Maven, Gradle, NPM, Yarn, and Pip.
- Verify prerequisites.For the Private Registries integration on Prisma Cloud Code Security, ensure you have the necessary permissions and Prisma Cloud IP addresses and hostname on an allow list.
- Access to the Prisma Cloud console.Ensure private registries have access to the Prisma Cloud IP addresses and hostname. For more information see enable access to the Prisma Cloud Console.
- The scan results you see after integration are at two instances.
- Projects: See the dependency tree for Software Composition Analysis (SCA).
- Supply Chain: See the dependency tree on Supply Chain to make an informed decision about vulnerabilities and package use.It is recommended that you integrate private registries using Artifactory with administrator permissions on Prisma Cloud console. However, a read-only permission of an Artifactory does not impact the scan results on the console.
- Configure a registry on Prisma Cloud.
- SelectSettings > Repositories > Add Repository > Private Registries.
- SelectArtifactory.
- AddPublic Artifactory URL. This must include the suffix /artifactory in the URL.
- AddUsernameandPassword.
The permissions associated with the username determine the scan results for private registries. - SelectNext.
- Set up a package manager to configure a registry as private on the console.
- SelectPackage Managerto configure as a default integration.
- SelectRegistriesthat package managers use.
NPM requires you to define your repository is Private. For Maven, you can selectMirror Registryif the repository is a mirror of an existing repository.Optionally, you can selectAdd Packageto set up an additional package manager
- SelectNextand then selectDone.AccessSettings > Repositories > Private Registriesto see the latest list of integrations and the connection status.For each integration you can perform additional actions onMore Actions
- Edit integration: You can edit an existing registry integration.
- Delete integration: In case an integration has multiple registries, you can choose to delete it.
- Delete entire integration: This deletes the integration.You can remediate vulnerabilities from private registries onCode Security > Projects > Vulnerabilities.After a private registry integration, the registry is a default reference for package versions on the console. Therefore, if a private fix version for the registry is not available, then recommendation on the console will be a public fix version.Additionally, you can accessCode Security > Supply Chainto view the dependency tree of the private packages.Optionally, you can choose to delete a private registry integration on the console. AccessSettings > Repositories > Add Repository > Private Registries > Artifactoryand then selectDelete.
