Posted On: Mar 21, 2024
Today, AWS announces the general availability of Package Group Configuration in AWS CodeArtifact. Customers can now define groups of packages and apply package origin controls to the groups, enhancing security and preventing software supply chain attacks.
With this feature, customers can define groups of packages in a CodeArtifact domain based on package format, namespace, and name. Customers can match based on full package paths, use wildcards to match all values, or match on prefixes. For example, “/npm/myco/*” will match all npm packages with a namespace of “myco”. Once a package group is created, three origin control parameters can be applied: Publish (allows package publication), External Upstream (packages can be retained from an external repository) and Internal Upstream (packages can be retained from an upstream CodeArtifact repository). These three parameters can be set independently to allow or block the action. Package groups can be managed using the AWS console, CLI, SDK, and CloudFormation.
For example, a package group is created with origin controls of External Upstream = BLOCK, Internal Upstream = BLOCK and Publish = ALLOW. If a request is made to CodeArtifact to publish a package that matches the group, the request will succeed. If a package download request is made and the package doesn’t already exist in the CodeArtifact repository, the download will fail as upstream repositories are blocked. This prevents versions of private packages from being imported from public repositories as these might contain malicious code.
CodeArtifact Package Group Configuration is available in all 13 CodeArtifact regions. To learn more, see AWS CodeArtifact.