From 8a8b8634bf644e539bace3f582b51f7dfc3f6444 Mon Sep 17 00:00:00 2001 From: Alhoussein <84826294+alhss@users.noreply.github.com> Date: Mon, 15 Sep 2025 17:26:31 -0400 Subject: [PATCH 1/8] Enhance guidance for go proxy server in Dependabot Added details on configuring private proxies and direct access for Go modules. --- ...nfiguration-of-private-registries-for-dependabot.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index f4301b9db386..2c87ccd41f6c 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -270,10 +270,16 @@ GONOSUMDB=my-company.com/* #### Notes -{% data reusables.dependabot.access-private-dependencies-link %} - This feature enables unified dependency management for both public and private Go modules within a single {% data variables.product.prodname_dependabot %} workflow, making it ideal for organizations using corporate artifact management systems like JFrog Artifactory or Nexus. +**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system(VCS) access, but for private modules for example published to only a private repository like Jfrog artifactory. the VCS fall back will not work since they are only accessible through the proxy. + +**Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern(eg. `GONOSUMDB=my-company.com/*`. For all private modules starting with my-company.com/). This will disable the public checksum validation of your private modules. Because the public checksum does not have your private modules. + +**Direct Access to Private Modules**: Set `GOPRIVATE=my-company.com/*` to bypass proxies and fetch directly from VCS. This only works if private modules are properly published with semantic version tags in your source control. + +{% data reusables.dependabot.access-private-dependencies-link %} + ### Maven Maven supports username and password authentication. For more information, see `maven-repository` in [AUTOTITLE](/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot#maven-repository). From 3b8a1bd669cd16f97f7a6ef2351e1dbb2446da14 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 14:54:15 -0700 Subject: [PATCH 2/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index 2c87ccd41f6c..a54f4bfe5234 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -272,7 +272,7 @@ GONOSUMDB=my-company.com/* This feature enables unified dependency management for both public and private Go modules within a single {% data variables.product.prodname_dependabot %} workflow, making it ideal for organizations using corporate artifact management systems like JFrog Artifactory or Nexus. -**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system(VCS) access, but for private modules for example published to only a private repository like Jfrog artifactory. the VCS fall back will not work since they are only accessible through the proxy. +**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system(VCS) access, but for private modules for example published to only a private repository like JFrog Artifactory. The VCS fall back will not work since they are only accessible through the proxy. **Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern(eg. `GONOSUMDB=my-company.com/*`. For all private modules starting with my-company.com/). This will disable the public checksum validation of your private modules. Because the public checksum does not have your private modules. From 558aa64027f41a2ccae5bf82c9c343127f6589e9 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 14:55:43 -0700 Subject: [PATCH 3/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index a54f4bfe5234..e4eb479281d9 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -274,7 +274,7 @@ This feature enables unified dependency management for both public and private G **Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system(VCS) access, but for private modules for example published to only a private repository like JFrog Artifactory. The VCS fall back will not work since they are only accessible through the proxy. -**Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern(eg. `GONOSUMDB=my-company.com/*`. For all private modules starting with my-company.com/). This will disable the public checksum validation of your private modules. Because the public checksum does not have your private modules. +**Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (e.g., `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). This will disable the public checksum validation of your private modules because the public checksum database does not have your private modules. **Direct Access to Private Modules**: Set `GOPRIVATE=my-company.com/*` to bypass proxies and fetch directly from VCS. This only works if private modules are properly published with semantic version tags in your source control. From ce181fe738661bd5968ad1fee34e85b640c4b273 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 14:59:26 -0700 Subject: [PATCH 4/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index e4eb479281d9..bd115d8e1708 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -274,7 +274,7 @@ This feature enables unified dependency management for both public and private G **Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system(VCS) access, but for private modules for example published to only a private repository like JFrog Artifactory. The VCS fall back will not work since they are only accessible through the proxy. -**Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (e.g., `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). This will disable the public checksum validation of your private modules because the public checksum database does not have your private modules. +**Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (for example, `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). Doing this will disable the public checksum validation of your private modules because the public checksum database does not have those private modules. **Direct Access to Private Modules**: Set `GOPRIVATE=my-company.com/*` to bypass proxies and fetch directly from VCS. This only works if private modules are properly published with semantic version tags in your source control. From c39562b6c2ee2e23e70895c24fd1549a7c259e3a Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 15:02:11 -0700 Subject: [PATCH 5/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index bd115d8e1708..e211cbf62a4b 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -272,7 +272,7 @@ GONOSUMDB=my-company.com/* This feature enables unified dependency management for both public and private Go modules within a single {% data variables.product.prodname_dependabot %} workflow, making it ideal for organizations using corporate artifact management systems like JFrog Artifactory or Nexus. -**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system(VCS) access, but for private modules for example published to only a private repository like JFrog Artifactory. The VCS fall back will not work since they are only accessible through the proxy. +**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system (VCS) access. For private modules, like those published only to a private repository like JFrog Artifactory, the VCS fall back will not work since they are only accessible through the proxy. **Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (for example, `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). Doing this will disable the public checksum validation of your private modules because the public checksum database does not have those private modules. From e7b1049d6ad817d39e08c8a2bbdc995c400497bf Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 15:03:35 -0700 Subject: [PATCH 6/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index e211cbf62a4b..b7332a0e4b5b 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -276,7 +276,7 @@ This feature enables unified dependency management for both public and private G **Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (for example, `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). Doing this will disable the public checksum validation of your private modules because the public checksum database does not have those private modules. -**Direct Access to Private Modules**: Set `GOPRIVATE=my-company.com/*` to bypass proxies and fetch directly from VCS. This only works if private modules are properly published with semantic version tags in your source control. +**Direct Access to Private Modules**: Set `GOPRIVATE=my-company.com/*` to bypass proxies and fetch directly from VCS. This setting only works if private modules are properly published with semantic version tags in your source control. {% data reusables.dependabot.access-private-dependencies-link %} From 4c186c94db166b6cfd236b4835653f10991aad77 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 15:04:58 -0700 Subject: [PATCH 7/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index b7332a0e4b5b..a1d78bd9fd7d 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -274,7 +274,7 @@ This feature enables unified dependency management for both public and private G **Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system (VCS) access. For private modules, like those published only to a private repository like JFrog Artifactory, the VCS fall back will not work since they are only accessible through the proxy. -**Private Proxy Serving Private Modules**: add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (for example, `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). Doing this will disable the public checksum validation of your private modules because the public checksum database does not have those private modules. +**Private Proxy Serving Private Modules**: Add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (for example, `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). Doing this will disable the public checksum validation of your private modules because the public checksum database does not have those private modules. **Direct Access to Private Modules**: Set `GOPRIVATE=my-company.com/*` to bypass proxies and fetch directly from VCS. This setting only works if private modules are properly published with semantic version tags in your source control. From a4ab5784c7445b143f24f4fd058fe65633c393b9 Mon Sep 17 00:00:00 2001 From: Sharra-writes Date: Mon, 15 Sep 2025 15:06:58 -0700 Subject: [PATCH 8/8] Update content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md --- ...or-the-configuration-of-private-registries-for-dependabot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md index a1d78bd9fd7d..8b1a0855c8a2 100644 --- a/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md +++ b/content/code-security/dependabot/working-with-dependabot/guidance-for-the-configuration-of-private-registries-for-dependabot.md @@ -272,7 +272,7 @@ GONOSUMDB=my-company.com/* This feature enables unified dependency management for both public and private Go modules within a single {% data variables.product.prodname_dependabot %} workflow, making it ideal for organizations using corporate artifact management systems like JFrog Artifactory or Nexus. -**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system (VCS) access. For private modules, like those published only to a private repository like JFrog Artifactory, the VCS fall back will not work since they are only accessible through the proxy. +**Private Proxy Serving All Modules**: All module requests go through your proxy first. For public modules fetching failures, your proxy returns 404/410 and Go falls back to direct version control system (VCS) access. For private modules, such as those published only to a private repository like JFrog Artifactory, the VCS fall back will not work since they are only accessible through the proxy. **Private Proxy Serving Private Modules**: Add a go.env to your repository root, and set up a GONOSUMDB matching the private modules pattern (for example, `GONOSUMDB=my-company.com/*` for all private modules starting with my-company.com/). Doing this will disable the public checksum validation of your private modules because the public checksum database does not have those private modules.