coder
Feature(enterprise): Sonatype Nexus and Nexus Firewall integration
Much like the integration with Coder integration with JFrog, Sonatype integration would give the same seamless developer experience for installing artifacts and scanning them (including the running workspaces).
Enterprise companies would use the entire suite of Sonatype tools to
Feature could include:
- Automatic authentication to pull artifacts from a Nexus Repo (https://www.sonatype.com/products/sonatype-nexus-repository)
- Scanning of Workspace containers
- Scanning of project dependencies (https://www.sonatype.com/products/open-source-security-dependency-management)
I know that currently Nexus Repos don't allow for OIDC like JFrog Artifactory does, but in the short term a guide or a recommendation for a workaround would be great!
Here are some workarounds,
-
For automatic authentication, within a template to fetch docker images from a nexus repo, sensitive terraform variables can be used to store the username and password/token of a user which can be used to authenticate with the docker repo.
-
For configuring the workspaces to also pull artifacts from nexus repositories, the template can make use of the User Token REST API to fetch and inject these to workspaces.
For @matifali is not an option, and we would still need to have a user secret stored somewhere.
Would there be an option to have a personal vault in the users profile for secrets?
Personal vault would be awesome if it was available during workspace creation, too, like secret build pipeline parameters that get added to the environment during pipeline execution but are otherwise not visible. That'd help a lot in dotfiles support to enable connecting to various sources and pulling things in for user-specific environment initialization. "Connect to this private/internal Powershell gallery and pull down the default set of Powershell modules." That sort of thing.
Is there the ability to use this in the offline install mode? For the modules?
