Nexus Repository Manager setup

Overview

Feature availability This feature is available with Enterprise plans. See pricing plans for more details.
Connecting Nexus Repository Manager enables Snyk to resolve all direct and transitive dependencies of packages hosted on the Nexus registry and calculate a more complete, accurate dependency graph and related vulnerabilities.
Supported projects
  • The integration currently supports Node.js (npm and Yarn) and Maven projects.
  • Gradle projects are not currently supported.
You can configure these types of Nexus Repository Manager:
  • Publicly accessible instances protected by basic authentication
  • Instances on a private network accessed via a Snyk Broker (with or without basic authentication).
Versions supported
  • Nexus Repository Manager version 3.x is fully supported.
  • Nexus Repository Manager version 2.15+ is in Beta

Getting started

  1. 1.
    Go to settings
    > Integrations > Package Repositories > Nexus
  2. 2.
    You should see this screen:
If you do not see the Snyk Broker switch, you do not have the necessary permissions and can only add a publicly accessible instance. Contact our Support team if you want to add a private registry.

Set up publicly accessible instances

Nexus 3
Nexus 2
  • Enter the URL of your Nexus instance, this must end with /repository
  • Enter Username
  • Enter Password
  • Click Save
  • Enter URL of your Nexus instance, this must end with /nexus/content
  • Enter Username
  • Enter Password
  • Click Save
You should see a green success message if we can contact your repository.
If you see a yellow warning message, check your URL and credentials and try again.

Set up brokered instances

  1. 1.
    Toggle Snyk Broker on/off switch, you should now see a form for generating an Snyk Broker token
  2. 2.
    Click on Generate and Save button
  3. 3.
    Copy the token that was generated for you, it will be needed to set up a new Broker Client
  4. 4.
    Set up a new Broker Client in your prod environment:
Nexus 3
Nexus 2
  • Pull Broker Artifactory image from Dockerhub:
    docker pull snyk/broker:nexus
  • Run docker image and provide broker variables
    docker run --restart=always \
    -p 7341:7341 \
    -e BROKER_TOKEN=secret-broker-token \
    -e BASE_NEXUS_URL=https://[username:password]@acme.com \
    -e RES_BODY_URL_SUB=https://acme.com/repository \
    -e BROKER_CLIENT_VALIDATION_URL=https://[username:password]@acme.com/service/rest/v1/status[/check] /
    snyk/broker:nexus
  • Pull Broker Artifactory image from Dockerhub:
    docker pull snyk/broker:nexus2
  • Run docker image and provide broker variables
    docker run --restart=always \
    -p 7341:7341 \
    -e BROKER_TOKEN=<secret-broker-token> \
    -e BASE_NEXUS_URL=https://[username:password]@acme.com \
    -e RES_BODY_URL_SUB=https://acme.com/nexus/content/(groups|repositories) \
    snyk/broker:nexus2

Checking connection

Check connection status by making a request to your Nexus broker client /systemcheck endpoint.
For example, curl http://172.17.0.2:7341/systemcheck
You will then see success output in the form:
{"brokerClientValidationUrl":"https://acme.com/service/rest/v1/status","brokerClientValidationMethod":"GET","brokerClientValidationTimeoutMs":5000,"brokerClientValidationUrlStatusCode":200,"ok":true}
Or failure output in the form:
{"brokerClientValidationUrl":"https://acme.com/service/rest/v1/status","brokerClientValidationMethod":"GET","brokerClientValidationTimeoutMs":5000,"ok":false,"error":"ETIMEDOUT"}

Broker variables

Nexus 3
Nexus 2
Variable
Description
BROKER_TOKEN
The token generated in settings
> Integrations > Nexus
BASE_NEXUS_URL
The URL to your Nexus instance in the format: BASE_NEXUS_URL=https://[username_or_token:password_or_token]@acme.com
Must not end with a forward slash.
Optional fields
  1. 1.
    Auth: Omit if no auth required. Can either be plain text or a two-part token (Nexus Pro) URL encode both username, password and tokens to avoid errors that may prevent authentication.
Minimal example acme.com
Complex example https://alice:[email protected]
RES_BODY_URL_SUB
The URL of the Nexus instance, including https:// and /repository and without basic auth credentials.
Required for npm/Yarn integrations only.
Must not end with a forward slash.
Example https://acme.com/repository
BROKER_CLIENT_VALIDATION_URL
Will either be one of:
  • $BASE_NEXUS_URL/service/rest/v1/status/check (if your Nexus user requires authentication)
  • $BASE_NEXUS_URL/service/rest/v1/status (if your Nexus user requires NO authentication)
Example
  • https://username:[email protected]/service/rest/v1/status/check
  • https://acme.com/service/rest/v1/status
Variable
Description
BROKER_TOKEN
The token generated in settings
> Integrations > Nexus
BASE_NEXUS_URL
format: BASE_NEXUS_URL=https://[username_or_token:password_or_token]@acme.com
Must not end with a forward slash.
Optional fields
  1. 1.
    Auth: Omit if no auth required. Can either be plain text or a two-part token (Nexus Pro) URL encode both username, password and tokens to avoid errors that may prevent authentication.
Minimal example https://acme.com
Complex example https://alice:[email protected]
RES_BODY_URL_SUB
The URL of the Nexus instance, including https:// and /nexus/content and without basic auth credentials.
Required for npm/Yarn integrations only.
Must not end with a forward slash. Example https://acme.com/nexus/content/groups https://acme.com/nexus/content/repositories

Nexus user permissions

The Nexus user needs the following privileges (either as part of Role or added individually)
Nexus 3
Nexus 2
  • nx-metrics-all (for the system status check endpoint)
  • nx-repository-view-[*-* | <ecosystem-repo-name>]-read
  • nx-repository-view-[*-* | <ecosystem-repo-name>]-browse
  • Status - Read
  • All [<ecosystem>] Repositories - (read)
  • [All Repositories | <repoName>] - (view)
Export as PDF
Copy link
Edit on GitHub
On this page
Overview
Getting started
Set up publicly accessible instances
Set up brokered instances
Nexus user permissions