Private Dependencies
Analyzing a private project sometimes needs access to other private libraries or packages hosted on private repositories. Your team might be using a Git repository to distribute such private libraries. Such a kind of dependencies is supported by some package managers like Bundler or npm.
We support accessing to private repositories via SSH during an analysis session. Let's check the following steps out.
Generate SSH key pair
First, you need to generate an SSH key pair on your repository settings on Sider.
Visit Settings on your repository, and then click Keys.
When you click Generate Key, Sider automatically generates a 4096-bit RSA key pair used for the private dependency resolution.
NOTE: We strongly recommend against adding secret keys to public repositories. Their analysis results are publicly accessible, and your secret keys might get exposed.
Add SSH public key to GitHub
After generating a key pair, click Download Public Key. You can download the SSH public key.
Next, you need to add the downloaded public key to GitHub. You can add it via the following 2 ways:
- as a deploy key
- as an SSH key of a machine user
Deploy key
If you have just one private dependency, using a deploy key is simple.
Suppose that you have the following private npm package and private repository hosting it:
- Package name:
awesome - Repository URL:
https://github.com/foo-company/awesome
Your package.json should look like this:
{
"dependencies": {
"awesome": "git+ssh://git@github.com:foo-company/awesome.git#v1.2.3"
}
}
To install this package during an analysis session, you need to add the downloaded public key as a deploy key to the foo-company/awesome repository on GitHub.
The steps are as follows:
- Visit
https://github.com/foo-company/awesome - Click Settings
- Click Deploy keys
- Click Add deploy key
- Enter the public key and save it
For details, check out the GitHub documentation.
When you add the deploy key and start a new analysis, installing the private package should succeed.
SSH key of machine user
If you have multiple private dependencies, adding a deploy key does not work because we cannot add the same deploy key to multiple repositories on GitHub.
In such a case, you need to prepare a machine user account and attach the public key to the account. Note that the machine user must have read access to your private repositories.
Suppose that you have a machine user account named foobot and the following package.json:
{
"dependencies": {
"awesome": "git+ssh://git@github.com:foo-company/awesome.git#v1.2.3",
"marvelous": "git+ssh://git@github.com:foo-company/marvelous.git#v0.9.0"
}
}
To install these packages, foobot need to have access to the foo-company/awesome and foo-company/marvelous repositories.
When you attach the public SSH key to foobot, foobot can access these repositories.
The steps are as follows:
- Sign in to GitHub as the machine user
- Visit Settings of the machine user
- Click SSH and GPG keys
- Click New SSH key
- Enter the public key and save it
- Give the machine user access to the private repositories (read access at least)
For details, check out the following documentation on GitHub:
- About adding a new SSH key
- About managing access to a repository
Supported package managers
We support the following package managers that can install packages from Git repositories:
If you want to install private dependencies via Bundler, note that you need to configure your sider.yml.
For example:
linter:
rubocop:
dependencies:
- name: rubocop-foo-company
git:
repo: git@github.com:foo-company/rubocop-foo-company.git
tag: v1.2.3
See the dependencies option for details.