Optimizing Repository Security and Performance with Include and Exclude Patterns

Repositories are the building blocks of Artifactory, and there are three basic types: Local repositories are where you store your in-house artifacts; remote repositories proxy remote resources and cache artifacts downloaded from them (e.g. JCenter, Nuget gallery, repositories in other Artifactory instances and others); and virtual repositories aggregate both local and remote repositories under a single URL. Managing security of repositories to keep them free of malicious artifacts is essential for any enterprise. You need a way to control what gets downloaded to your remote repositories, and what gets uploaded to your local repositories. You also need to ensure that access to artifacts is quick and efficient so that your development and build process don’t get held up waiting for artifacts to be downloaded. “Include and Exclude Patterns” are a great way to manage these issues.

Include what you want, exclude what you don’t want

Include and exclude patterns are specified using wildcard text patterns, and can loosely be defined like this: Artifactory will only let you upload an artifact to, or download an artifact from a repository if its name matches any of the include patterns, and does not match any of the exclude patterns specified for that repository.

Manage security and get a performance boost with exclude patterns

Exclude patterns give organizations a way to manage security risks by restricting access to certain external resources. Let’s consider an example. Acme Corp is developing a new product, and its build artifacts have dependencies that need to be resolved from a variety of sources, some internal (for example, team A builds an artifact that team B needs), and others external (such as an open source library that needs to be downloaded from an external, public repository). Typically, an Artifactory administrator will have defined a virtual repository, that aggregates local and remote repositories, through which the team (and its build scripts) will access resources to resolve dependencies. Now consider that the name of one of the internal dependencies has been misspelled. Artifactory will first search for the artifact through the local repositories, but since its name is misspelled, it will not be found. Then, if there are no restrictions, Artifactory will try to resolve the artifact from remote repositories; in fact, from all remote repositories aggregated by the virtual repository. The problem is that these artifact requests get logged at the remote resources exposing all details of the query that may contain sensitive, business information.

Exclude patterns can prevent this potential security breach. By adding a common prefix (such as “com.companyname”) to the exclude pattern of remote repositories (or even better, to a virtual repository that aggregates all the remote ones), any requests to resolve internal, local artifacts are blocked, so requests containing any related sensitive information never get out of your organization.  An additional bonus is that the exclude pattern also improved performance by preventing Artifactory from searching for internal artifacts in external resources and, therefore, avoiding redundant networking.

You can also use exclude patterns to restrict the use of old versions of dependencies. For example, if you know that one of the dependencies you need has a significant bug fix in version 3.0, you can add versions 1 and 2 to the exclude pattern for the repository from which that dependency is downloaded. An exclude pattern that does that might look something like this: 

**/some-dependency/1*/**, **/some-dependency/2*/** 

Avoid clutter with include patterns

Include patterns help you avoid clutter in your local repositories by making sure that only certain types of artifact can be hosted there. For example, you could keep artifacts from different projects clearly separated in their own repositories. By defining an include pattern such as

**/org/mycompany/myproject/** 

you can ensure that only artifacts from “myproject” can be uploaded and stored there.

Whether you’re in a small startup or a large enterprise, security is always a concern. Includes and excludes patterns offer a simple way to add a layer of security to your operations while improving performance by reducing redundant networking. By tailoring the includes and excludes patterns for all your repositories in Artifactory, you gain fine-grained control over how binaries are uploaded into your repositories and those that are downloaded from external resources.