This guide is relevant for Snyk UI integrations only, the CLI already supports yarn and npm projects with private Artifactory registries
You can add configuration to tell Snyk where your private Artifactory Node.js packages are hosted and what scope they are under.
This is the same information you would normally add in your
Once configured, Snyk will use this information to access private dependencies when creating Pull/Merge Requests, by allowing yarn to reach those deps in order to regenerate the lockfile.
- You must sign up for a Pro or Enterprise account with Snyk before you begin
- Go to
- If you have not previously connected to Artifactory you will be asked to configure an integration first, see Artifactory Package Repository Settings below
- Select “Add registry configuration”
- Select "Artifactory" as the Package source
- If you want to configure this registry as default registry url, then leave scope blank
- If you want to configure only scoped packages to use this registry then add a scope
- If you want to add a mix of default registry url and scoped packages, add multiple configurations - one for the default and one per scope.
- When you have added all the registries and scopes you want, hit Update settings.
- Now test it out - open a Pull/Merge Request on a project that contains private dependencies that are hosted in Artifactory to see a lockfile updated and included in the Snyk Fix Pull Request where previously none was generated
Artifactory Package Repository Settings
You can configure two types of Artifactory Package Repository integrations:
- Publicly accessible instances protected by basic authentication
- Instances on a private network accessed via a broker
Brokered support is only available for Artifactory instances on private networks that do not require username & password authentication.
Brokered Artifactory is only supported for Node (Yarn and npm) at this time, while Maven supports direct connection to Artifactory it does not support a brokered connection.
As the integration is per org, and the broker is per integration it is therefore not possible today to have an org with both Node & Maven Artifactory integration if a broker is needed.
Please use separate orgs for Artifactory with Broker and Maven direct integrations.
- Go to
Settings > Integrations > Package Repositories > Artifactory
- You should see this screen at the beginning.
If you do not see the “Publicly accessible” switch you do not have the necessary permissions and can only add a publicly accessible instance.
Contact email@example.com if you want to add a private registry
Set up publicly accessible instances
- Enter URL of your Artifactory instance, this must end with “/artifactory”
- Enter Username
- Enter Password
- Hit Save
Set up brokered instances
- Toggle Artifactory (Publicly accessible) switch, you should now see a form for generating an Artifactory Broker token.
- Click on Generate and Save button
- Copy the token that was generated for you, it will be needed to set up new Broker Client
- Set up a new Broker Client in your prod environment:
- Pull Broker Artifactory image from Dockerhub:
docker pull snyk/broker:artifactory
- Run docker image and provide environment variables
docker run --restart=always \ -p 8000:8000 \ -e BROKER_TOKEN=secret-broker-token \ -e ARTIFACTORY_URL=<yourdomain>.artifactory.com \ snyk/broker:artifactory
BROKER_TOKENis token you just generated in Integration > Artifactory form
ARTIFACTORY_URLis URL to your artifactory instance, including /artifactory at the end of URL
- Check connection status by refreshing Artifactory Integration Settings page, no connection error should be displayed