Add Private Registries to Prisma Cloud Code Security

Integrating Private Registries with Prisma Cloud enables you to build an accurate dependency tree of the packages in your private registries. Using an
for integration ensures you have visibility into packages of your private registry and fix suggestions for vulnerabilities found in indirect packages. To remediate vulnerabilities found on Private registries see results and fix suggestions on
. Alternatively, you can make an informed decision by seeing the scan results on
Supply Chain
, where the graph displays the dependency tree based on the integration.
Currently, Prisma Cloud Code Security supports one Artifactory integration, one registry per package manager and is limited to Maven, Gradle, NPM, Yarn, and Pip.
  1. Verify prerequisites.
    For the Private Registries integration on Prisma Cloud Code Security, ensure you have the necessary permissions and Prisma Cloud IP addresses and hostname on an allow list.
    • Access to the Prisma Cloud console.
      Ensure private registries have access to the Prisma Cloud IP addresses and hostname. For more information see enable access to the Prisma Cloud Console.
    • The scan results you see after integration are at two instances.
    • Projects
      : See the dependency tree for Software Composition Analysis (SCA).
    • Supply Chain
      : See the dependency tree on Supply Chain to make an informed decision about vulnerabilities and package use.
      It is recommended that you integrate private registries using Artifactory with administrator permissions on Prisma Cloud console. However, a read-only permission of an Artifactory does not impact the scan results on the console.
  2. Configure a registry on Prisma Cloud.
    1. Select
      Settings > Repositories > Add Repository > Private Registries
    2. Select
    3. Add
      Public Artifactory URL
      . This must include the suffix /artifactory in the URL.
    4. Add
      The permissions associated with the username determine the scan results for private registries.
    5. Select
  3. Set up a package manager to configure a registry as private on the console.
    1. Select
      Package Manager
      to configure as a default integration.
    2. Select
      that package managers use.
      NPM requires you to define your repository is Private. For Maven, you can select
      Mirror Registry
      if the repository is a mirror of an existing repository.
      Optionally, you can select
      Add Package
      to set up an additional package manager
    3. Select
      and then select
      Settings > Repositories > Private Registries
      to see the latest list of integrations and the connection status.
      For each integration you can perform additional actions on
      More Actions
      • Edit integration
        : You can edit an existing registry integration.
      • Delete integration
        : In case an integration has multiple registries, you can choose to delete it.
      • Delete entire integration
        : This deletes the integration.
        You can remediate vulnerabilities from private registries on
        Code Security > Projects > Vulnerabilities
        After a private registry integration, the registry is a default reference for package versions on the console. Therefore, if a private fix version for the registry is not available, then recommendation on the console will be a public fix version.
        Additionally, you can access
        Code Security > Supply Chain
        to view the dependency tree of the private packages.
        Optionally, you can choose to delete a private registry integration on the console. Access
        Settings > Repositories > Add Repository > Private Registries > Artifactory
        and then select

Recommended For You