Skip to main content

Private Dependencies

Analyzing a private project sometimes needs access to other private libraries or packages hosted on private repositories. Your team might be using a Git repository to distribute such private libraries. Such a kind of dependencies is supported by some package managers like Bundler or npm.

We support accessing to private repositories via SSH during an analysis session. Let’s check the following steps out.


Do analysis tools (e.g., ESLint or RuboCop) require your private dependencies? If not, please consider using the dependencies option of sider.yml instead.

Generate SSH key pair#

First, you need to generate an SSH key pair on your repository settings on Sider.

Visit Settings on your repository, and then click Keys.

Generate SSH private key

When you click Generate Key, Sider automatically generates a 4096-bit RSA key pair used for the private dependency resolution.


We don’t recommend adding secret keys to public repositories. Their analysis results are publicly accessible, and your secret keys might get exposed.

Add SSH public key to GitHub#

Download SSH public key

After generating a key pair, click Download Public Key. You can download the SSH public key.

Next, you need to add the downloaded public key to GitHub. You can add it via the following 2 ways:

Deploy key#

If you have just one private dependency, using a deploy key is simple.

Suppose that you have the following private npm package and private repository hosting it:

  • Package name: awesome
  • Repository URL:

Your package.json should look like this:

{  "dependencies": {    "awesome": "git+ssh://"  }}

To install this package during an analysis session, you need to add the downloaded public key as a deploy key to the foo-company/awesome repository on GitHub. The steps are as follows:

  1. Visit
  2. Click Settings
  3. Click Deploy keys
  4. Click Add deploy key
  5. Enter the public key and save it

For details, check out the GitHub documentation.

When you add the deploy key and start a new analysis, installing the private package should succeed.

SSH key of machine user#

If you have multiple private dependencies, adding a deploy key does not work because we cannot add the same deploy key to multiple repositories on GitHub.

In such a case, you need to prepare a machine user account and attach the public key to the account. Note that the machine user must have read access to your private repositories.

Suppose that you have a machine user account named foobot and the following package.json:

{  "dependencies": {    "awesome": "git+ssh://",    "marvelous": "git+ssh://"  }}

To install these packages, foobot need to have access to the foo-company/awesome and foo-company/marvelous repositories. When you attach the public SSH key to foobot, foobot can access these repositories. The steps are as follows:

  1. Sign in to GitHub as the machine user
  2. Visit Settings of the machine user
  3. Click SSH and GPG keys
  4. Click New SSH key
  5. Enter the public key and save it
  6. Give the machine user access to the private repositories (read access at least)

For details, check out the following documentation on GitHub:

Supported package managers#

We support the following package managers that can install packages from Git repositories:

If you want to install private dependencies via Bundler, note that you need to configure your sider.yml. For example:

linter:  rubocop:    dependencies:      - name: rubocop-foo-company        git:          repo:          tag: v1.2.3

See the dependencies option for details.