Skip to main content

Phylum NuGet Registry

The Phylum NuGet registry is based on NuGet's Server API.

Configuration

All configuration options will require a Phylum API key, since Phylum requires authentication. You can find out how to generate one in our API Keys documentation.

In the following examples, all API keys will be represented as <PHYLUM_API_KEY>, so make sure to replace them with your generated key.

Additionally, if the default policy is not sufficient, a group can be passed to evaluate all packages against the group's policy. To do this, just replace <PHYLUM_ORG> and <PHYLUM_GROUP> with the desired org and group name. The supplied API key must have access to this group.

If Phylum's default policy is sufficient, you can omit the username from the authentication details.

dotnet

To use the Phylum NuGet registry, the original nuget.org registry first needs to be disabled:

dotnet nuget disable source nuget.org

Once the official registry is disabled, the Phylum source can be added. If you're not running Windows, you'll also have to add the --store-password-in-clear-text flag.

dotnet nuget add source https://nuget.phylum.io/v3/index.json \
    --protocol-version 3 \
    --name Phylum \
    --valid-authentication-types basic \
    --username <PHYLUM_ORG>/<PHYLUM_GROUP> \
    --password <PHYLUM_API_KEY>

⚠️ WARNING ⚠️

Do not accidentally save your token into your shell history.

A blocked package will show up in dotnet output as missing:

/Demo.csproj : error NU1102: Unable to find package Example.Vulnerable with version (= 1.2.3)
/Demo.csproj : error NU1102:   - Found 42 version(s) in Phylum [ Nearest version: 2.0.0 ]

If a version range is accepted by the manifest, the package manager will automatically attempt to use a version that passes Phylum's policy.

nuget

To use the Phylum NuGet registry, the original nuget.org registry first needs to be disabled:

nuget sources Disable -Name nuget.org

Once the official registry is disabled, the Phylum source can be added. If you're not running Windows, you'll also have to add the --store-password-in-clear-text flag.

nuget sources Add \
    -Source https://nuget.phylum.io/v3/index.json\
    -ProtocolVersion 3 \
    -Name Phylum
    -UserName <PHYLUM_ORG>/<PHYLUM_GROUP>
    -Password <PHYLUM_API_KEY>

⚠️ WARNING ⚠️

Do not accidentally save your token into your shell history.

A blocked package will show up in nuget output as missing:

Package 'Example.Vulnerable 1.2.3' is not found in the following primary source(s): 'https://nuget.phylum.io/v3/index.json'. Please verify all your online package sources are available (OR) package id, version are specified correctly.

If a version range is accepted by the manifest, the package manager will automatically attempt to use a version that passes Phylum's policy.