npm registry integration
Integrating with npm registry
Integrating your private npm registry into Jit enhances your organization's security by enabling Jit to scan for dependencies vulnerabilities (SCA) in both your public and private npm packages. Our guide provides clear steps for a secure setting of this integration.
Requirements
- Jit GitHub integration.
- npm private packages.
- A private npm registry helps safeguard internal libraries by preventing public exposure and enables the consolidation of multiple registries from various sources into a single endpoint. Learn more About private packages and Creating and publishing private packages.
- A read-only access token to integrate into the private npm packages.
- For more details on creating the tokens, see Using private packages in a CI/CD workflow.
Activating the SCA Plan
- Go to Security Plans, locate Jit MVS, and click on View Plan. (Learn more on Jit MVS)
- In Application Security, locate Scan Your Code Dependencies for Vulnerabilities (SCA), and click Activate. (Learn more on Scan Your Code Dependencies for Vulnerabilities (SCA))
- A pop-up will appear. Mark Integrate with a private registry and click Connect
- Enter the access token you've generated and click Create secret
That's it. Jit will now scan your private packages as well.
Additional options to activate, including existing users
- Add the secret directly to Secrets. The name must be NPM_REGISTRY_TOKEN
- Locate the tool under Integrations and click Connect
If the security requirement is already activated (e.g., for existing users), the integration will start to take effect in the following scan
Pay attention! In these options, you will still need to click activate on the SCA security requirement under Jit MVS plan
The pop-up will be skipped
Deactivating the integration
- Go to the Secrets and delete the NPM_REGISTRY_TOKEN token.
- Revoke the token on npm side, see Revoking access tokens.
Updated 5 months ago