Package Security Manager (On-prem) CLI#

The conda-repo-cli package is the command-line interface (CLI) tool used to interact with Package Security Manager. You can use it to perform most of the actions that are available through the graphical user interface (GUI). The most common uses include:

  • Listing channel and mirror details

  • Creating channels and mirrors

  • Setting/updating filtering criteria for channels and mirrors

  • Configuring your channel alias and default channels

  • Uploading and managing assets

Installing the conda repo CLI#

  1. Install the conda-repo-cli package by opening Anaconda Prompt (Terminal on macOS/Linux) and running the following command:

    conda install conda-repo-cli
    
  2. Verify your installation was successful and view which version you’ve installed by running the following command:

    conda repo --version
    

Note

As an administrator, you can mirror or upload this package into a channel within your Package Security Manager, allowing your users to access it if they would otherwise be unable to acquire it themselves.

As a user, contact your administrator if you are unable to install conda-repo-cli.

Configuring conda-repo-cli#

You must configure your repository site before you can log in via the CLI.

Configuring your conda repository site tells conda-repo-cli which URL to reach out to and interact with. This information is recorded in your .conda/repo-cli-config.yaml file. Populate the file by running one of the following configuration commands.

Choose the commands that apply to your setup:

Simplified CLI configuration#

If you are using conda-repo-cli version 1.0.35+, run the following command to add your Anaconda URL to your .conda/repo-cli-config.yaml file and set it as the default site for conda to interact with:

# Replace <DOMAIN_NAME> with your Package Security Manager URL domain
conda repo config --set-site <DOMAIN_NAME>

When using this command, only include the domain name of your website. conda-repo-cli automatically detects whether or not you are utilizing SSL certificates and includes this along with the /api suffix when setting your domain name as the default site.

For example, if your Package Security Manager URL is “https://server.example.com” your command would be:

conda repo config --set-site server.example.com

This adds “https://server.example.com/api” to your .conda/repo-cli-config.yaml file with the name server.example.com.

Extended CLI configuration#

Run the following command to add your Package Security Manager website to the .conda/repo-cli-config.yaml file:

# Replace <SITE_NAME> with a short name to reference your Package Security Manager
# Replace <URL> with your Package Security Manager URL
conda repo config --set sites.<SITE_NAME>.url <URL>/api

Then, instruct conda-repo-cli to use the URL you just configured as the default site to interact with by running the command:

# Replace <SITE_NAME> with the name you just assigned to your Package Security Manager
conda repo config --set default_site <SITE_NAME>

For example, if your Package Security Manager URL is https://server.example.com, and you want to name your site anaconda-server, the commands to configure your conda-repo-cli are:

conda repo config --set sites.anaconda-server.url https://server.example.com/api
conda repo config --set default_site anaconda-server

OAuth and SAML configuration#

If your Package Security Manager is using OAuth or SAML for authentication, you must first complete the conda repository site configuration steps, then run this additional command to enable the standard authorization flow:

conda repo config --set oauth2 true

Viewing your current configurations#

To view your current configurations, run the following command:

conda repo config --show-sources

This will return the path to your ./conda/repo-cli-config.yaml file, as well as its contents.

Logging in to Package Security Manager via the CLI#

To log in to Package Security Manager using the CLI, run the following command:

conda repo login

You will be prompted to enter your user credentials after running the command. For example:

(base) ➜  ~ conda repo login
Username: anaconda
Password:
login as ADMIN successful

Note

If you are using OAuth or SAML, running conda repo login opens a browser window to log you in to Package Security Manager CLI using your SSO service. After completing your login, the window displays Token Received. You can now close your browser window, return to your terminal, and use the CLI.

Using the CLI#

You must log in before you can perform tasks using CLI commands. The commands you are able to successfully run are based on your assigned roles and permissions. For example, if you are not allowed to create mirrors using Package Security Manager UI, you will not be allowed to run commands that create, update, or otherwise manage mirrors using the CLI. For more information, see roles and permissions.

Using the .condarc configuration wizard#

Use Package Security Manager CLI conda repo wizard command to configure channels: and default_channels: while setting a channel_alias for them. You can also use the command to backup and restore your .condarc file.

The channel_alias prepends (is placed in front of) your provided channel name when running conda commands that involve channels. Logging in to the CLI provides the Wizard with the information it needs to set your channel_alias for you. For more information about channel aliases, see Set a channel alias in the official conda docs.

To use the Wizard to configure your .condarc file, run the following command:

conda repo wizard

The Wizard shows you channels from your Package Security Manager that are available for you to add to your .condarc file. Enter the channels you wish to set to your default_channels: list, separated by a space. You must set at least one default channel for the Wizard to continue.

Once complete, enter the channels you want to add to the channels: list, separated by a space. Leave this blank if you do not need to add any additional channels.

Note

Channel names must be exact. Misspelled channel names will not be accepted, for both the default_channels: and channels: lists. If you enter a channel name that does not match an existing channel in your instance, a warning appears and no channel is added to the list.

Your output will look something like this:

Conda configuration wizard.
This wizard will configure your CondaRC file using channels from https://<FQDN>.com

The CondaRC path is /Users/<USER>/.condarc

The following channels are available:
Name                           | Mirror | Privacy         | Owners
---------------------------------------------------------------------------
anaconda                       |  ︎ ✔    | public          | anaconda
web_devs                       |  ︎ ✔    | public          | anaconda
snakes                         |  ︎ ✔    | public          | anaconda
data_sci                       |  ︎ ✔    | public          | anaconda

Provide a space-separated list of channels to set as default_channels
It is common to add mirror channels here.
: web_devs snakes data_science

If you wish to add channels to the "channels" list
provide a space-separated list. You may leave this blank.
: anaconda
The following Conda configuration will be applied
channel_alias: https://<FQDN>/api/repo
default_channels:
  - web_devs
  - snakes
  - data_sci
channels:
  - defaults
  - anaconda
Confirm changes to /Users/<USER>/.condarc
(The current condarc file will be archived) [Y, n]: y
Backing up your current condarc file to /Users/<USER>/.condarc.backup

To restore your .condarc file to its previous state (what it was before you ran the Wizard), run the following command:

conda repo wizard --restore

Channels#

Viewing channels#

To view a list of channels you have access to in Package Security Manager, run the following command:

conda repo channel --list

Viewing a channel’s packages#

To view a list of packages available on a specific channel, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel
conda repo channel --list-packages <CHANNEL_NAME>

Viewing a channel’s files#

To view a list of files available on a specific channel, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel
conda repo channel --list-files <CHANNEL_NAME>

Tip

To view a list of files of a specific artifact family (e.g. general artifacts) within a channel, you can specify that in the command using the --family or -f tag:

# Replace <CHANNEL_NAME> with the name of the channel
# Replace <FAMILY> with the artifact family type (conda, python, cran, anaconda_project, anaconda_env, notebook, gra)
conda repo channel --list-files <CHANNEL_NAME> --family <FAMILY>

Viewing a channel’s details#

To view the details of a channel, run the following command:

conda repo channel --show <CHANNEL_NAME>

The return from this command will display the following information about a channel:

  • The channel’s name

  • The channel’s description

  • Privacy permissions

  • Number of artifacts contained in the channel

  • Number of downloads from the channel

  • Number of mirrors the channel contains

  • Number of subchannels the channel contains

  • When the channel was created

  • The last date the channel was updated

  • Channel owners

Channel privacy permissions#

Package Security Manager CLI allows you to set the privacy permissions of your channels at any time.

To change permissions of your channel to private, allowing only yourself to view the channel, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --lock <CHANNEL_NAME>

To change permissions of your channel to authenticated, allowing only authenticated users to view your channel, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --soft-lock <CHANNEL_NAME>

If you have a private or authenticated channel that you want to make public, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --unlock <CHANNEL_NAME>

Creating a channel#

Create a public channel by running the following command:

# Replace <CHANNEL_NAME> with a name for your channel
conda repo channel --create <CHANNEL_NAME>

Creating a subchannel#

You can create a subchannel within an already existing channel by running the following command:

# Replace <CHANNEL> with the channel you want to contain your subchannel
# Replace <SUBCHANNEL_NAME> with the name for your subchannel
conda repo channel --create <CHANNEL>/<SUBCHANNEL_NAME>

Deleting a channel#

To delete a channel from your Package Security Manager, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --remove <CHANNEL_NAME>

Mirrors#

Mirroring via the CLI can accomplish things that would be cumbersome via the GUI.

Mirrors exist within channels in Package Security Manager. When working in the CLI, you need to create a channel to populate with a mirror or know which channels are already available for mirror hosting. Anaconda recommends that channels contain only one mirror each to prevent conflicts between package sources and mirror filters. It is possible for a channel to contain multiple mirrors; however, you will need to proceed with caution and ensure that your mirror filters do not overlap in a conflicting manner.

Creating a mirror#

The basic command for creating a mirror using the CLI is:

# Replace <MIRROR_NAME> with a name for your mirror
# Replace <SOURCE_URL> with an external source channel for your mirror
# Replace <CHANNEL_NAME> with the name of the channel you want to contain your mirror
# Replace <TYPE> with a valid mirror type (conda, python_simple, or CRAN)
# Replace <MODE> with either active or passive
conda repo mirror --create <MIRROR_NAME> --channel <CHANNEL_NAME> --source <SOURCE_URL> --type <TYPE> --mode <MODE> --run_now

This will create an exact copy of the mirrored repository with no restrictions on what gets copied to your mirror and made available to your users.

Note

Your <TYPE> must match the <SOURCE_URL> mirror. For example, if your source mirror contains conda packages, you must use conda as your mirror type.

You can add arguments to this basic mirror command to further specify configurations for the mirror. This can mean restricting the available packages due to an applied filter, or downloading only specific versions of specific packages to be available on your channel.

To create a mirror and populate it with a specific set of packages, run the following command:

# Replace <MIRROR_NAME> with a name for your mirror
# Replace <CHANNEL_NAME> with the name of the channel you want to contain your mirror
# Replace <SOURCE_URL> with an external source channel for your mirror
# Replace <TYPE> with a valid mirror type (conda, python_simple, or CRAN)
# Replace <MODE> with either active or passive
# Replace <PLATFORMS> with the platforms you need your packages to work for
# Replace <PKG_NAME> with the name of the packages you want mirrored into your repository
conda repo mirror --create <MIRROR_NAME> --channel <CHANNEL_NAME> --source <SOURCE_URL> --mode <MODE> --run_now --subdirs "<PLATFORMS>" --only_spec <PKG_NAME> --only_spec <PKG_NAME>

For example, if you want to create a mirror called “snakes” in a channel you’ve created and named “lua”, and you want to populate the channel with packages for Mac users only, the command would be:

conda repo mirror --create snakes --channel lua --source https://repo.anaconda.com/pkgs/main/ --run_now --mode passive --subdirs "noarch, osx-64, osx-arm64" --only_spec lua --only_spec ncurses --only_spec readline

Caution

Populating your channel with packages in this manner will not automatically populate the channel with their dependencies. If you do not have all the necessary packages, conda won’t be able to successfully create an environment from the channel.

Filtering mirrored packages#

Adding filters to your mirrors ensures that you only mirror the packages that you need in your channel. This ensures that everyone on your team is not only using the same packages, but the same version of those packages for the same operating system. You can also filter by license and common vulnerability and exposure (CVE) score to ensure you are meeting your organization’s software security requirements. For more information about CVEs, see Common Vulnerabilities and Exposures (CVEs).

Note

Filters can also be applied at the channel level. Both the channel filter and the mirror filter are applied to packages contained in the channel. The mirror filter restricts packages that are pulled from the source mirror, and the channel filter restricts which packages are allowed into the channel. Filters should not contain configurations that will conflict with one another.

Mirror filtering arguments#

--subdirs - For mirror sources that contain conda packages.

Instruct Package Security Manager to only mirror packages for the provided subdirectories. Anaconda recommends you always include the noarch platform as well as the specific platform architecture necessary for your organization, as many platform-specific packages will require a noarch dependency to run. Use a comma-separated string contained within double quotes when supplying the argument.

Here is an example of what this portion of a mirror command looks like:

--subdirs "noarch,osx-64,osx-arm64"

You can filter for the following platforms:

  • noarch

  • linux-32

  • linux-64

  • linux-aarch64

  • linux-armv6I

  • linux-armv7I

  • linux-ppc64

  • linux-ppc64le

  • osx-64

  • osx-arm64

  • win-32

  • win-64

  • zos-z

Note

If your source mirror does not contain conda packages, this command argument is not necessary.

--type - Denotes the mirror type. Possible types are: “conda”, “python_simple”, and “CRAN”.

Here is an example of what this portion of a mirror command looks like:

--type "conda"

--projects - List of pypi projects to mirror.

If your source mirror is populated with PyPI projects, you can list which projects to include from the source mirror here. Use a comma-separated string contained within double quotes when supplying the argument.

Here is an example of what this portion of a mirror command looks like:

--projects "rxnpy,sympad,permutation"

--licenses - The --licenses argument can be used to both exclude and include licenses. Use a comma-separated string contained within double quotes when supplying the argument.

To exclude a license, prepend the license name entry with a hyphen (-). To include a license, just provide the license name.

Here is an example of what this portion of a mirror command looks like:

--licenses “-public_domain,-none,mit,apache,agpl”

You can filter for the following licenses:

  • agpl

  • gpl2

  • gpl3

  • lgpl

  • bsd

  • mit

  • apache

  • psf

  • public_domain

  • proprietary

  • other

  • none

--only_spec - Include a specific package from the source mirror. Uses MatchSpec (non-exact value search queries) to specify the package. Supply this argument multiple times for multiple entries.

Note

For more information about using non-exact value search queries, see Package match specifications.

--exclude_spec - Excludes a package from the source mirror. Uses MatchSpec (non-exact value search queries) to specify the package. Supply this argument multiple times for multiple entries.

Here is an example of what this portion of a mirror command looks like:

--exclude_spec pytorch

--include_spec - Include a package, or a specific version of a package, that would otherwise be excluded by the --exclude_spec argument. Supply this argument multiple times for multiple entries.

Here is an example of what this portion of a mirror command looks like:

--include_spec pytorch==1.21.1

--cve_score - Removes all files that are associated with a CVE that has a score equal to or higher than the threshold value set here. CVE scores range from 0-10 and can contain up to one decimal point value.

Here is an example of what this portion of a mirror command looks like:

--cve_score 7.1

--exclude_uncurated_cve_packages - Removes all files that are associated with uncurated CVEs in the repository. Supply this argument with either a True or False tag.

Here is an example of what this portion of a mirror command looks like:

--exclude_uncurated_cve_packages True

--date_from - Specifies the start of a date range denoting when a conda package was published. Works in tandem with the --date_to filter. The date range format is YYYY-MM-DD. The --date_from value must be earlier in the timeline than the --date_to value.

--date_to - Specifies the end of a date range denoting when a conda package was published. Works in tandem with the --date_from filter. The date range format is YYYY-MM-DD.

Here is an example of what this portion of a mirror command looks like:

--date_from 2022-03-01 --date_to 2022-05-15

Note

A maximum span of one year is allowed between the start and end of the date range.

Viewing mirror status#

To view the status of a mirror on a channel, run the following command:

conda repo mirror --show <MIRROR_NAME> --channel <CHANNEL_NAME>

Here is an example of what the return for your command will look like:

(base) ➜  ~ conda repo mirror --show boa --channel snakes
    Mirror Details:
    ---------------
    id: 29a15c15-49fc-4275-91c3-633129c6233c
    name: boa
    type: conda
    mode: active
    state: completed
    source root: http://repo.anaconda.com/pkgs/main
    Last run at: 2023-05-30T00:01:00.033756+00:00
    Updated at: 2023-05-30T00:06:11.705000+00:00
    created:
    cron: 0 0 * * *
    proxy:
    filters:
        only_specs               | ['numba', 'pytorch', 'pandas', 'panels', 'python==3.9']

Stopping a mirror#

To stop an in-progress mirror, run the following command:

conda repo mirror --stop <MIRROR_NAME>

Restarting a mirror#

To restart a stopped mirror, run the following command:

conda repo mirror --restart <MIRROR_NAME>

Updating mirrors#

Specifications for existing mirrors can be updated at any time by supplying the --update argument, along with the names of the mirror being updated and the channel that contains the mirror. Use the same mirror arguments as when creating a mirror to alter its configurations.

To update an existing mirror, run the following command:

# Replace <MIRROR_NAME> with the name of the mirror you want to delete
# Replace <CHANNEL_NAME> with the name of the channel that contains the mirror
# Replace <ARG> with additional arguments for the mirror command
conda repo mirror --update <MIRROR_NAME> --channel <CHANNEL_NAME> --<ARG> --<ARG> --<ARG>

Here is an example of what an update command looks like:

conda repo mirror --update boa --channel snakes --only_spec jupyterhub --only_spec airflow --only_spec django --type conda --mode active --run_now

Note

If you do not include the --run_now argument, your mirror will update on its next scheduled run. You can always run --conda repo mirror --update <MIRROR_NAME> --channel <CHANNEL_NAME> --run_now to update your mirror without changing any parameters.

Caution

Updating a mirror replaces its current contents with what you specify in the update command.

Deleting mirrors#

To delete a mirror, run the following command:

# Replace <MIRROR_NAME> with the name of the mirror you want to delete
# Replace <CHANNEL_NAME> with the name of the channel that contains the mirror
conda repo mirror --delete <MIRROR_NAME> --channel <CHANNEL_NAME>

Packages#

Viewing channel packages#

To view a list of packages contained within a channel, run the following command:

# Replace <CHANNEL_NAME> with the channel name
conda repo channel --list-packages <CHANNEL_NAME>

Viewing channel package details#

To view the details of a channel’s packages, run the following command:

# Replace <CHANNEL_NAME> with the channel name
conda repo channel --list-file <CHANNEL_NAME> --full-details

This will return a JSON formatted list of all the files in a given channel and their metadata, to include:

  • CKEY

  • CVE score

  • CVE status

  • File name

  • Package name

  • Platform

  • Version

Copying a package to a channel#

To copy a package to a channel, run the following command:

# Replace <ORIGIN_CHANNEL> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel you want to copy the package to
conda repo copy <ORIGIN_CHANNEL>::<PACKAGE_NAME> -d <DESTINATION_CHANNEL>

This retains the package on the origin channel and adds it to the destination channel.

Copying a package to a subchannel#

To copy a package to a subchannel, run the following command:

# Replace <ORIGIN_CHANNEL> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel that contains your subchannel
# Replace <DESTINATION_SUBCHANNEL> with the name of the subchannel you want to copy the package to
conda repo copy <ORIGIN_CHANNEL>::<PACKAGE_NAME> -d <DESTINATION_CHANNEL>/<DESTINATION_SUBCHANNEL>

This retains the package on the origin channel and adds it to the destination subchannel.

Moving a package to a channel#

To move a package to a channel, run the following command:

# Replace <ORIGIN_CHANNEL> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel that contains your subchannel
conda repo move <ORIGIN_CHANNEL>::<PACKAGE_NAME> -d <DESTINATION_CHANNEL>

This removes the package from the origin channel and adds it to the destination channel.

Moving a package to a subchannel#

To move a package to a subchannel, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel that contains your subchannel
# Replace <DESTINATION_SUBCHANNEL> with the name of the subchannel you want to copy the package to
conda repo move <CHANNEL_NAME>::<PACKAGE_NAME> -d <DESTINATION_CHANNEL>/<DESTINATION_SUBCHANNEL>

This removes the package from the origin channel and adds it to the destination channel.

Deleting a package from a channel#

To delete a package from a channel, run the following command:

conda repo remove <CHANNEL_NAME>::<PACKAGE_NAME>

Deleting a package from a subchannel#

To delete a package from a channel, run the following command:

conda repo remove <CHANNEL_NAME>/<SUBCHANNEL_NAME>::<PACKAGE_NAME>

Tokens#

Authorization tokens can be created by users and admins to provide others with access to private/authenticated channels or with a specific set of permissions within Package Security Manager. For more information, see Authorization Tokens.

Scopes#

Scopes are fine-grained permissions that you can embed within a token to limit the potential actions that can be performed while using said token. Scope tokens are especially useful for interacting with software programmatically.

Viewing scopes#

To view a list of scopes, run the following command:

conda repo auth --list-scopes

Creating a scope token#

To generate a new user authorization token, run the following command:

# Replace <NAME> with a name for your token (this can be anything)
# Replace <SCOPE> with a valid scope
conda repo auth --create -n <NAME> -s <SCOPE> -s <SCOPE>

Note

Supply the --scope or -s argument multiple times to include multiple scopes for your token.

Removing a user authorization token#

To remove an authorization token from your user, run the following command:

# Replace <TOKEN_ID> with the token you would like to remove
conda repo auth --remove <TOKEN_ID>

Channel service accounts#

Channel service accounts are only available in Package Security Manager version 6.6.5.

For more information and instructions on enabling channel service accounts, see Enabling channel service accounts.

Listing all channel service accounts#

# Replace <CHANNEL_NAME> with the name of your channel
conda repo service-accounts --channel <CHANNEL_NAME> --list-user-ids

Creating a service account token#

Creating tokens for a service account provides the account with specified permissions to act on the specified channels. Here are a few ways you might want to implement a channel service account token:

Create a channel service account token
# Replace <PRIMARY_CHANNEL> with the channel you are creating a service account token for
# Replace <USER_ID> with your user ID
# Replace <TOKEN_NAME> with a name for your token
# Replace <LEVEL> with the level of permissions you want to give the token (read/write/manage)
conda repo service-accounts --channel <PRIMARY_CHANNEL> --user-id <USER_ID> --name <TOKEN_NAME> --permission <LEVEL> --create-token
Create a channel service account token with a custom lifespan
# Replace <PRIMARY_CHANNEL> with the channel you are creating a service account token for
# Replace <USER_ID> with your user ID
# Replace <TOKEN_NAME> with a name for your token
# Replace <LEVEL> with the level of permissions you want to give the token (read/write/manage)
# Replace <DAYS> with the number of days that you want the token to exist (omit this flag to keep your token from expiring)
conda repo service-accounts --channel <PRIMARY_CHANNEL> --user-id <USER_ID> --name <TOKEN_NAME> --permission <LEVEL> --max-days <DAYS> --create-token
Create a channel service account token with permissions across multiple channels
# Replace <PRIMARY_CHANNEL> with the channel you are creating a service account token for
# Replace <USER_ID> with your user ID
# Replace <TOKEN_NAME> with a name for your token
# Replace <TARGET_CHANNEL> with the channels you want to provide permissions for
# Replace <LEVEL> with the level of permissions you want to give the token (read/write/manage)
conda repo service-accounts --channel <PRIMARY_CHANNEL> --user-id <USER_ID> --name <TOKEN_NAME> --token-channels <TARGET_CHANNEL>,<TARGET_CHANNEL> --permission <LEVEL> --create-token

Listing all channel tokens#

# Replace <CHANNEL_NAME> with the channel you are listing service account tokens for
conda repo service-accounts --channel <CHANNEL_NAME> --list-tokens

Listing all user tokens in a channel#

This command outputs all the token IDs a user has established for a channel.

# Replace <CHANNEL_NAME> with the channel you are listing service account tokens for
# Replace <USER_ID> with the user ID of the person whose tokens you want to list
conda repo service-accounts --channel <CHANNEL_NAME> --user-id <USER_ID> --list-tokens

Editing an existing token#

You can edit an existing token to change its permission level.

# Replace <TOKEN_ID> with the token you want to edit
# Replace <TOKEN_NAME> with the name of the token you want to edit
# Replace <LEVEL> with the level of permissions you want to give the token (read/write/manage)
conda repo service-accounts --token-id <TOKEN_ID> --name <TOKEN_NAME> --permission <LEVEL> --edit-token

Deleting a Token#

# Replace <TOKEN_ID> with the token you want to delete
conda repo service-accounts --token-id <TOKEN_ID> --delete-token

CVEs#

Listing CVEs associated with files in your repository#

To list the critical vulnerabilities and exposures (CVEs) associated with packages in your repository, run the following command:

conda repo cves --list

This will return the ID of the CVE, the CVE score, CVE type, curation status, the number of packages that are affected by the CVE, and a brief description of the vulnerability.

Showing files associated with a CVE#

To view the specific files associated with a CVE, run the following command:

conda repo cves --show-files <CVE_ID>

This provides you with a list of files that are associated with the <CVE_ID> you’ve provided.

Viewing CVE details#

To view the details of a specific CVE, run the following command:

conda repo cves --show <CVE_ID>

This will provide the CVE’s CVSS2 and CVSS3 score metrics in addition to the ID of the CVE, the CVE score, CVE type, curation status, publish date, and a brief description of the vulnerability.

Software Bill of Materials (SBOMS)#

Download a SBOM for artifact files on your Package Security Manager by running the following command:

# Replace <CHANNEL> with the channel containing the package
# Replace <PACKAGE> with the package name
# Replace <VERSION> with the package version
# Replace <OS> with the operating system architecture of the package
# Replace <FAMILY> with the artifact family (conda, python, cran, anaconda_project, anacconda_env, notebook)
# Replace <CKEY> with the artifacts ckey string
conda repo sbom --channel <CHANNEL> --package <PACKAGE> --version <VERSION> --os <PKG_ARCH> --family <FAMILY> --ckey <CKEY>

Note

An artifact’s CKEY string can be found by viewing package details.

Viewing your user information#

To view your user information at any time, run the following command:

conda repo whoami

The return contains a list of your permissions, your default channel, your username, and your user ID.

Uploading to a channel#

The conda repo upload command is used to upload assets to your Package Security Manager repository. You can upload environments, notebooks, packages, projects, and general resource artifacts to a channel for storage and distribution.

To upload an asset (package, project, notebook, environment) to the first channel listed under default_channels: in your .condarc file, run the following command:

# Replace <FILE_PATH> with the path to the package you are uploading
conda repo upload <FILE_PATH>

Tip

You can upload multiple assets at the same time with the same command, adding each package location separated with a space:

conda repo upload <FILE_PATH1> <FILE_PATH2>

To specify a destination channel for your upload, run the following command:

# Replace <FILE_PATH> with the path to the artifact you are uploading
# Replace <CHANNEL_NAME> with the channel you want to upload to
conda repo upload <FILE_PATH> -c <CHANNEL_NAME>

General resource arifact (GRA) uploads require additional information to be included in the upload command:

# Replace <FILE_PATH> with the path to the artifact you are uploading
# Replace <CHANNEL_NAME> with the channel you want to upload to
# Replace <GROUP_NAME> with an artifact group name
# Replace <VERSION> with a version for your artifact upload
conda repo upload <FILE_PATH> -c <CHANNEL_NAME> -t gra -n <GROUP_NAME> -v <VERSION>

Warning

Make sure to perform manual security checks on artifacts before uploading them. Automatic security scanning is not provided.

Downloading artifact report#

If you need to know which users are downloading which packages from a given channel, you can use the following command:

# Replace <START_DATE> with the beginning of a date range (the format is YYYY-MM-DD)
# Replace <END_DATE> with the end of a date range (the format is YYYY-MM-DD)
# Replace <TYPE> with an output file type for your report (can be json or csv)
# Replace <USERS> with a comma separated list of users to report on
# Replace <CHANNELS> with a comma separated list of channels to report on
# Replace <REPORT> with a name for your report download file
conda repo report --date_from <START_DATE> --date_to <END_DATE> --file-type <TYPE> --user_names <USERS> --channels <CHANNELS> --filename <REPORT>

Here is an example of what a download history report command looks like:

conda repo report --date_from 2023-01-01 --date_to 2023-03-30 --file-type json --user_names user1, user2, user3, user5 --channels anaconda, snakes --filename anaconda_server_usage_report_Q1_2023

Tip

You can specify a location for your <REPORT> with a file path, such as /User/tmp/SBOM_report.json. If no location is specified, the report will be placed in your current working directory.

Note

A maximum span of one year is allowed between the start and end of the date range.

Further assistance#

To view the conda repo commands in the terminal, run the command:

conda repo --help

Similarly, appending --help or the shorthand -h to a command will provide you with further actions you can take, such as the following:

conda repo wizard -h
conda repo channel -h
conda repo mirror -h
conda repo upload -h
conda repo report -h
conda repo sbom -h
conda repo auth -h