Custom registries

By default, Safe Chain scans packages fetched from the public npm registry and PyPI. If your team uses a private or self-hosted registry, you can configure Safe Chain to include those registries in its scanning coverage.

Supported ecosystems

Node.js — npm, npx, yarn, pnpm, pnpx, bun, bunx
Python — pip, pip3, uv, poetry, pipx

Configuration

You can set custom registries via environment variable, config file, or both. Both sources are merged together — Safe Chain de-duplicates entries across sources.

# npm custom registries (comma-separated hostnames)
export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES="npm.company.com,registry.internal.net"

# pip custom registries (comma-separated hostnames)
export SAFE_CHAIN_PIP_CUSTOM_REGISTRIES="pip.company.com,registry.internal.net"

Protocol stripping

Safe Chain normalizes registry hostnames by automatically removing https:// or http:// prefixes. The following entries are treated as equivalent:

export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES="https://npm.company.com"
# treated the same as:
export SAFE_CHAIN_NPM_CUSTOM_REGISTRIES="npm.company.com"

You do not need to strip protocols manually — provide either format and Safe Chain will handle normalization.

Get Started

Configuration

CI/CD

Reference

Supported ecosystems

Configuration

Protocol stripping

Build docs developers (and LLMs) love

Get Started

Configuration

CI/CD

Reference

​Supported ecosystems

​Configuration

​Protocol stripping

Build docs developers (and LLMs) love

Supported ecosystems

Configuration

Protocol stripping