Snyk can be configured to use custom package registries under specific conditions, allowing insight into dependencies that are not hosted in canonical registries.
The custom package registry feature currently supports Artifactory with Maven and is available on the Pro and Enterprise plans. Maven analysis can be configured to mirror all requests through a custom package repository, or you can specify additional repositories to use alongside Maven Central.
Prerequisite
Jfrog artifactory mirror integration works only with basic user password authentication (SSO users can't be used for the integration)
Please create a general Jfrog user that isn't using SSO for this integration
Note
The integration won't work with on-prem custom package registries, only for SaaS solution, because Snyk can't reach to the private registry.
If authentication is required to access your custom registry you will need to first configure the Artifactory package repository integration.
To configure the Artifactory integration go to Integrations > Artifactory and click ‘Connect to Artifactory’ and complete the fields - URL to your Artifactory, username, and password.
Once the integration is set up you can configure Maven settings by navigating to Settings > Languages > Java
You can choose whether to use Artifactory as a mirror or as an additional repository where your artifacts will reside. These settings will be very similar to what you have in ~/.m2/settings.xml.
Mirrors
Choose a value for the type, either ‘direct’ or if using authentication ‘integration’. If using direct you will need to complete the URL, repository name and what it is a mirror of.
The mirror of value can either be a * to mirror everything or you can type in a value for example “central”
 |
If using the integration, you will need to choose an integration type and provide the repository name and mirror of details.
 |
Repositories
Alternatively, you can configure repositories which will be used as additional locations to check for artifacts.