Sandworm
HomepageGitHub
  • Sandworm Audit
    • Getting Started
    • How It Works
    • Configuration
    • Issue Types
    • Resolved Issues
    • License Policies
    • Fail Policies
    • Custom Registries
    • Chart Info
  • Sandworm Guard
    • Overview
    • Getting Started
    • Supported Methods
    • Enforcing Permissions
    • Describing Permissions
    • Caller Module Paths
    • Configuration
    • Bundlers & Sourcemaps
  • Snapshot Testing
  • Contributing
    • Code of Conduct
    • Security Policy
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Sandworm Audit

Custom Registries

PreviousFail PoliciesNextChart Info

Last updated 2 years ago

Was this helpful?

Sandworm supports collecting package information from custom/private registries. If you've already configured the custom registry using your .npmrc file, Sandworm audits should just work.

Sandworm currently looks at the following configuration files:

  • per-project config file: /path/to/my/project/.npmrc

  • per-user config file: ~/.npmrc

The currently supported auth related settings are:

  • registry

  • _authToken

Scopes can be associated with a separate registry. This allows you to seamlessly use a mix of packages from the primary npm registry and one or more private registries, such as or the open source project.

In order to scope auth tokens, they must be prefixed by a URI fragment. If the credential is meant for any request to a registry on a single host, the scope may look like //registry.npmjs.org/:. If it must be scoped to a specific path on the host that path may also be provided, such as //my-custom-registry.org/unique/path:.

; bad config
_authToken=MYTOKEN

; good config
@myorg:registry=https://somewhere-else.com/myorg
@another:registry=https://somewhere-else.com/another
//registry.npmjs.org/:_authToken=MYTOKEN
; would apply to both @myorg and @another
; //somewhere-else.com/:_authToken=MYTOKEN
; would apply only to @myorg
//somewhere-else.com/myorg/:_authToken=MYTOKEN1
; would apply only to @another
//somewhere-else.com/another/:_authToken=MYTOKEN2

Environment variables can be replaced using ${VARIABLE_NAME}. For example:

//registry.npmjs.org/:_authToken=${DEFAULT_REG_TOKEN}

Sandworm also supports the NPM_CONFIG_REGISTRY environment variable, to set the default registry URL directly.

GitHub Packages
Verdaccio