The conda-repo-cli package is the command-line interface (CLI) tool used to interact with Package Security Manager. You can use it to perform most of the actions that are available through the graphical user interface (GUI). The most common uses include:

  • Listing channel and mirror details
  • Creating channels and mirrors
  • Setting/updating filtering criteria for channels and mirrors
  • Configuring your channel alias and default channels
  • Uploading and managing assets

The actions you can perform in the CLI are determined by your group/role permissions. If you’re unsure of your permissions or need additional permissions, speak with your Package Security Manager administrator.

Installing the conda repo CLI

  1. Install the conda-repo-cli package by opening Anaconda Prompt (Terminal on macOS/Linux) and running the following command:

    conda install conda-repo-cli

  2. Verify your installation was successful and view which version you’ve installed by running the following command:

    conda repo --version

As an administrator, you can mirror or upload this package into a channel within your Package Security Manager, allowing your users to access it if they would otherwise be unable to acquire it themselves.

As a user, contact your administrator if you are unable to install conda-repo-cli.

Configuring conda-repo-cli

You must configure your repository site before you can log in via the CLI.

Configuring your conda repository site tells conda-repo-cli which URL to reach out to and interact with. This information is recorded in your .conda/repo-cli-config.yaml file. Populate the file by running one of the following configuration commands.

Choose the commands that apply to your setup:

Simplified CLI configuration

If you are using conda-repo-cli version 1.0.35+, run the following command to add your Anaconda URL to your .conda/repo-cli-config.yaml file and set it as the default site for conda to interact with:

# Replace <DOMAIN_NAME> with your Package Security Manager URL domain
conda repo config --set-site <DOMAIN_NAME>

When using this command, only include the domain name of your website. conda-repo-cli automatically detects whether or not you are utilizing SSL certificates and includes this along with the /api suffix when setting your domain name as the default site.

For example, if your Package Security Manager URL is “https://server.example.com” your command would be:

conda repo config --set-site server.example.com

This adds “https://server.example.com/api” to your .conda/repo-cli-config.yaml file with the name server.example.com.

Extended CLI configuration

Run the following command to add your Package Security Manager website to the .conda/repo-cli-config.yaml file:

# Replace <SITE_NAME> with a short name to reference your Package Security Manager
# Replace <URL> with your Package Security Manager URL
conda repo config --set sites.<SITE_NAME>.url <URL>/api

Then, instruct conda-repo-cli to use the URL you just configured as the default site to interact with by running the command:

# Replace <SITE_NAME> with the name you just assigned to your Package Security Manager
conda repo config --set default_site <SITE_NAME>

For example, if your Package Security Manager URL is https://server.example.com, and you want to name your site anaconda-server, the commands to configure your conda-repo-cli are:

conda repo config --set sites.anaconda-server.url https://server.example.com/api
conda repo config --set default_site anaconda-server

OAuth and SAML configuration

If your Package Security Manager is using OAuth or SAML for authentication, you must first complete the conda repository site configuration steps, then run this additional command to enable the standard authorization flow:

conda repo config --set oauth2 true

Viewing your current configurations

To view your current configurations, run the following command:

conda repo config --show-sources

This will return the path to your ./conda/repo-cli-config.yaml file, as well as its contents.

Logging in to Package Security Manager via the CLI

To log in to Package Security Manager using the CLI, run the following command:

conda repo login

You will be prompted to enter your user credentials after running the command. For example:

(base) ➜  ~ conda repo login
Username: anaconda
Password:
login as ADMIN successful

If you are using OAuth or SAML, running conda repo login opens a browser window to log you in to Package Security Manager CLI using your SSO service. After completing your login, the window displays Token Received. You can now close your browser window, return to your terminal, and use the CLI.

Using the CLI

You must log in before you can perform tasks using CLI commands. The commands you are able to successfully run are based on your assigned roles and permissions. For example, if you are not allowed to create mirrors using Package Security Manager UI, you will not be allowed to run commands that create, update, or otherwise manage mirrors using the CLI. For more information, see roles and permissions.

Using the .condarc configuration wizard

Use Package Security Manager CLI conda repo wizard command to configure channels: and default_channels: while setting a channel_alias for them. You can also use the command to backup and restore your .condarc file.

The channel_alias prepends (is placed in front of) your provided channel name when running conda commands that involve channels. Logging in to the CLI provides the Wizard with the information it needs to set your channel_alias for you. For more information about channel aliases, see Set a channel alias in the official conda docs.

To use the Wizard to configure your .condarc file, run the following command:

conda repo wizard

The Wizard shows you channels from your Package Security Manager that are available for you to add to your .condarc file. Enter the channels you wish to set to your default_channels: list, separated by a space. You must set at least one default channel for the Wizard to continue.

Once complete, enter the channels you want to add to the channels: list, separated by a space. Leave this blank if you do not need to add any additional channels.

Channel names must be exact. Misspelled channel names will not be accepted, for both the default_channels: and channels: lists. If you enter a channel name that does not match an existing channel in your instance, a warning appears and no channel is added to the list.

Your output will look something like this:

Conda configuration wizard.
This wizard will configure your CondaRC file using channels from https://<FQDN>.com

The CondaRC path is /Users/<USER>/.condarc

The following channels are available:
Name                           | Mirror | Privacy         | Owners
---------------------------------------------------------------------------
anaconda                       |  ︎ ✔    | public          | anaconda
web_devs                       |  ︎ ✔    | public          | anaconda
snakes                         |  ︎ ✔    | public          | anaconda
data_sci                       |  ︎ ✔    | public          | anaconda

Provide a space-separated list of channels to set as default_channels
It is common to add mirror channels here.
: web_devs snakes data_science

If you wish to add channels to the "channels" list
provide a space-separated list. You may leave this blank.
: anaconda
The following Conda configuration will be applied
channel_alias: https://<FQDN>/api/repo
default_channels:
  - web_devs
  - snakes
  - data_sci
channels:
  - defaults
  - anaconda
Confirm changes to /Users/<USER>/.condarc
(The current condarc file will be archived) [Y, n]: y
Backing up your current condarc file to /Users/<USER>/.condarc.backup

To restore your .condarc file to its previous state (what it was before you ran the Wizard), run the following command:

conda repo wizard --restore

Channels

Viewing channels

To view a list of channels you have access to in Package Security Manager, run the following command:

conda repo channel --list

Viewing a channel’s packages

To view a list of packages available on a specific channel, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel
conda repo channel --list-packages <CHANNEL_NAME>

Viewing a channel’s files

To view a list of files available on a specific channel, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel
conda repo channel --list-files <CHANNEL_NAME>

To view a list of files of a specific artifact family (e.g. general artifacts) within a channel, you can specify that in the command using the --family or -f tag:

# Replace <CHANNEL_NAME> with the name of the channel
# Replace <FAMILY> with the artifact family type (conda, python, cran, anaconda_project, anaconda_env, notebook, gra)
conda repo channel --list-files <CHANNEL_NAME> --family <FAMILY>

Viewing a channel’s details

To view the details of a channel, run the following command:

conda repo channel --show <CHANNEL_NAME>

The return from this command will display the following information about a channel:

  • The channel’s name
  • The channel’s description
  • Privacy permissions
  • Number of artifacts contained in the channel
  • Number of downloads from the channel
  • Number of mirrors the channel contains
  • Number of subchannels the channel contains
  • When the channel was created
  • The last date the channel was updated
  • Channel owners

Channel privacy permissions

Package Security Manager CLI allows you to set the privacy permissions of your channels at any time.

To change permissions of your channel to private, allowing only yourself to view the channel, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --lock <CHANNEL_NAME>

To change permissions of your channel to authenticated, allowing only authenticated users to view your channel, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --soft-lock <CHANNEL_NAME>

If you have a private or authenticated channel that you want to make public, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --unlock <CHANNEL_NAME>

Creating a channel

Create a public channel by running the following command:

# Replace <CHANNEL_NAME> with a name for your channel
conda repo channel --create <CHANNEL_NAME>

Creating a subchannel

You can create a subchannel within an already existing channel by running the following command:

# Replace <CHANNEL> with the channel you want to contain your subchannel
# Replace <SUBCHANNEL_NAME> with the name for your subchannel
conda repo channel --create <CHANNEL>/<SUBCHANNEL_NAME>

Deleting a channel

To delete a channel from your Package Security Manager, run the following command:

# Replace <CHANNEL_NAME> with your channel name
conda repo channel --remove <CHANNEL_NAME>

Policies

Policy filters only work for conda repositories. If your channel contains Std Python or R packages, use the mirror filters.

A policy is a security control you can apply to a channel or mirror to restrict the packages users can source from them.

Creating a policy

To create a policy, use the --create argument along with the appropriate configuration options. These options allow you to define filtering criteria, such as platforms, licenses, CVEs, and package names. Here is an example policy creation command:

conda repo policy --create \
    --name copperhead_cybersecurity \
    --channel-name sidewinderscribe \
    --description "Policy to enforce secure package inclusion for sidewinderscribe channel." \
    --platform linux-64,osx-64 \
    --cve-score 7 \
    --cve-score-comparator <=

This command is formatted for readability. If your shell supports line continuation (e.g. bash, zsh), you can run it as shown. Otherwise, remove the backslashes (\) and combine it into a single line.

Basic policy configuration options

  • --name: Set the name of the policy.
  • --channel-name: (Optional) Specify the channel the policy applies to.
  • --description: (Optional) Provide a description for the policy.

Platform filtering options

  • --platform: Include platforms, separated by commas.
  • --platform-not: Exclude platforms, separated by commas.

Available platforms

  • linux-32
  • linux-64
  • linux-aarch64
  • linux-armv6l
  • linux-armv7l
  • linux-ppc64
  • linux-ppc64le
  • linux-s390x
  • osx-64
  • osx-arm64
  • win-32
  • win-64
  • zos-znoarch

License filtering options

  • --license: Include licenses, separated by commas.
  • --license-not: Exclude licenses, separated by commas.

Supported licenses

  • AGPL
  • GPL
  • GPL2
  • GPL3
  • LGPL
  • BSD
  • MIT
  • APACHE
  • PSF
  • Public-Domain
  • Proprietary
  • MOZILLA
  • OTHER
  • None
  • CC

Package filtering options

  • --package-name: Include package names, separated by commas.
  • --exclude-package-name: Exclude package names, separated by commas.
  • --exclude-package-name-exception: Remove exclusions for specified packages, separated by commas.
  • --include-dependencies: Include dependencies.
  • --exclude-dependencies: Exclude dependencies.
  • --only-signed-packages: Restrict to signed packages only.
  • --keep-legacy-packages: Includes both .conda and .tar.bz2 files for packages that contain them.

Date-based filtering options

Date formatting

  • YYYY-MM-DD

  • --package-created-from: Filter packages created on or after the specified date.

  • --package-created-to: Filter packages created on or before the specified date.

CVE filtering options

  • --cve-score: Set a CVE score threshold for filtering.
  • --cve-score-comparator: Comparator for CVE score.
    • Options: ==, <=, >=, <, >
    • Default: <=
  • --cve-status: Include CVE statuses, separated by commas.
  • --exclude-cve-status: Exclude CVE statuses, separated by commas.

Supported statuses

  • active

  • reported

  • mitigated

  • cleared

  • disputed

  • --cve-link-status-and-score: Define the relationship between CVE status and score.

    • Options: and, or
    • Default: and

  • --cve-allowlist: Add specific CVE IDs to an allowlist, separated by commas.

    • CVE ID Format: CVE-YYYY-#####

  • --exclude-uncurated-cve-packages: Exclude uncurated CVE packages.

Viewing policies

To view all policies, run the following command:

conda repo policy --list-all

To view a specific policy, include the policy ID in the command:

# Replace <POLICY_ID> with the ID of your policy
conda repo policy --show <POLICY_ID>

Assigning a policy

To assign a policy to a channel, run the following command:

# Replace <POLICY_ID> with the ID of your policy
# Replace <CHANNEL_NAME> with the name of the channel you want to apply the policy to
conda repo policy --assign <POLICY_ID> --channel <CHANNEL_NAME>

Policies can also be applied directly to mirrors. For more information, see Creating a mirror with a policy.

Unassigning a policy

# Replace <POLICY_ID> with the ID of your policy
# Replace <CHANNEL_NAME> with the name of the channel you want to apply the policy to
conda repo policy --unassign <POLICY_ID> --channel <CHANNEL_NAME>

Editing a policy

To edit an existing policy, use the --edit argument with the same configuration options available for creating a policy and include the ID of the policy you want to modify.

Editing a filtering option for a policy clears the previous filter value.

For example, if you create a policy and specify the win-32 platform filter, running conda repo policy --edit <POLICY_ID> --platform "win-64" replaces the win-32 filter with the win-64 filter; it does not add both filters.

# Replace <POLICY_ID> with the ID of your policy
conda repo policy --edit <POLICY_ID> --description "Updated description"

To clear filters in a policy, provide an empty string for the filtering options using the --edit command.

For example, to remove the platform filter, use --platform "". This method works for Platform and License filtering arguments.

Deleting a policy

To delete a policy, run the following commdand:

# Replace <POLICY_ID> with the ID of your policy
conda repo policy --delete <POLICY_ID>

Mirrors

Mirroring via the CLI can accomplish things that would be cumbersome via the GUI.

Mirrors exist within channels in Package Security Manager. When working in the CLI, you need to create a channel to populate with a mirror or know which channels are already available for mirror hosting. Anaconda recommends that channels contain only one mirror each to prevent conflicts between package sources and mirror filters. It is possible for a channel to contain multiple mirrors; however, you will need to proceed with caution and ensure that your mirror filters do not overlap in a conflicting manner.

Creating a mirror

The basic command for creating a mirror using the CLI is:

# Replace <MIRROR_NAME> with a name for your mirror
# Replace <SOURCE> with the URL of the external repository to mirror
# Replace <CHANNEL_NAME> with the name of the channel you want to contain your mirror
# Replace <TYPE> with a valid mirror type (conda, python_simple, or CRAN)
# Replace <MODE> with either active or passive
conda repo mirror --create <MIRROR_NAME> --channel <CHANNEL_NAME> --source <SOURCE> --type <TYPE> --mode <MODE> --run_now

This will create an exact copy of the mirrored repository with no restrictions on what gets copied to your mirror and made available to your users.

Your <TYPE> must match the <SOURCE> mirror. For example, if your source mirror contains conda packages, you must use conda as your mirror type.

You can add arguments to this basic mirror command to further specify configurations for the mirror. This can mean restricting the available packages due to an applied filter, or downloading only specific versions of specific packages to be available on your channel.

To create a mirror and populate it with a specific set of packages, run the following command:

# Replace <MIRROR_NAME> with a name for your mirror
# Replace <CHANNEL_NAME> with the name of the channel you want to contain your mirror
# Replace <SOURCE> with the URL of the external repository to mirror
# Replace <TYPE> with a valid mirror type (conda, python_simple, or CRAN)
# Replace <MODE> with either active or passive
# Replace <PLATFORMS> with the platforms you need your packages to work for
# Replace <PKG_NAME> with the name of the packages you want mirrored into your repository
conda repo mirror --create <MIRROR_NAME> --channel <CHANNEL_NAME> --source <SOURCE> --mode <MODE> --run_now --subdirs "<PLATFORMS>" --only_spec <PKG_NAME> --only_spec <PKG_NAME>

For example, if you want to create a mirror called “snakes” in a channel you’ve created and named “lua”, and you want to populate the channel with packages for Mac users only, the command would be:

conda repo mirror --create snakes --channel lua --source https://repo.anaconda.com/pkgs/main/ --run_now --mode passive --subdirs "noarch, osx-64, osx-arm64" --only_spec lua --only_spec ncurses --only_spec readline

Populating your channel with packages in this manner will not automatically populate the channel with their dependencies. If you do not have all the necessary packages, conda won’t be able to successfully create an environment from the channel.

Creating a mirror with a policy

When you create or edit a mirror on a channel that has a policy associated with it, the channel’s policy is automatically applied to the mirror. To assign a specific policy to the mirror instead, include the --use-channel-policy False and --policy-id <POLICY_ID> arguments in your command.

Here is an example command that creates a mirror and applies a policy to it. For more information, see Policies.

# Replace <MIRROR_NAME> with a name for your mirror
# Replace <SOURCE> with the URL of the external repository to mirror
# Replace <CHANNEL_NAME> with the name of the channel you want to contain your mirror
# Replace <TYPE> with a valid mirror type (conda, python_simple, or CRAN)
# Replace <MODE> with either active or passive
# Replace <POLICY_ID> with your policy ID
conda repo mirror --create <MIRROR_NAME> --channel <CHANNEL_NAME> --source <SOURCE> --type <TYPE> --mode <MODE>  --use-channel-policy False --policy-id <POLICY_ID> --run_now

Filtering mirrored packages

Policies were introduced to Package Security Manager in version 6.7.0. If your version of Package Security Manager supports policies, use those filtering options for any channels that will contain conda packages. For all other mirror types (Std Python, R) use the mirroring filters.

Adding filters to your mirrors ensures that you only mirror the packages that you need in your channel. This ensures that everyone on your team is not only using the same packages, but the same version of those packages for the same operating system. You can also filter by license and common vulnerability and exposure (CVE) score to ensure you are meeting your organization’s software security requirements. For more information about CVEs, see Common Vulnerabilities and Exposures (CVEs).

Filters can also be applied at the channel level. Both the channel filter and the mirror filter are applied to packages contained in the channel. The mirror filter restricts packages that are pulled from the source mirror, and the channel filter restricts which packages are allowed into the channel. Filters should not contain configurations that will conflict with one another.

Mirror filtering arguments

--subdirs - For mirror sources that contain conda packages.

Instruct Package Security Manager to only mirror packages for the provided subdirectories. Anaconda recommends you always include the noarch platform as well as the specific platform architecture necessary for your organization, as many platform-specific packages will require a noarch dependency to run. Use a comma-separated string contained within double quotes when supplying the argument.

Here is an example of what this portion of a mirror command looks like:

--subdirs "noarch,osx-64,osx-arm64"

You can filter for the following platforms:

  • noarch
  • linux-32
  • linux-64
  • linux-aarch64
  • linux-armv6I
  • linux-armv7I
  • linux-ppc64
  • linux-ppc64le
  • osx-64
  • osx-arm64
  • win-32
  • win-64
  • zos-z

If your source mirror does not contain conda packages, this command argument is not necessary.

--type - Denotes the mirror type. Possible types are: “conda”, “python_simple”, and “CRAN”.

Here is an example of what this portion of a mirror command looks like:

--type "conda"

--projects - List of pypi projects to mirror.

If your source mirror is populated with PyPI projects, you can list which projects to include from the source mirror here. Use a comma-separated string contained within double quotes when supplying the argument.

Here is an example of what this portion of a mirror command looks like:

--projects "rxnpy,sympad,permutation"

--licenses - The --licenses argument can be used to both exclude and include licenses. Use a comma-separated string contained within double quotes when supplying the argument.

To exclude a license, prepend the license name entry with a hyphen (-). To include a license, just provide the license name.

Here is an example of what this portion of a mirror command looks like:

--licenses “-public_domain,-none,mit,apache,agpl”

You can filter for the following licenses:

  • agpl
  • gpl2
  • gpl3
  • lgpl
  • bsd
  • mit
  • apache
  • psf
  • public_domain
  • proprietary
  • other
  • none

--only_spec - Include a specific package from the source mirror. Uses MatchSpec (non-exact value search queries) to specify the package. Supply this argument multiple times for multiple entries.

For more information about using non-exact value search queries, see Package match specifications.

--exclude_spec - Excludes a package from the source mirror. Uses MatchSpec (non-exact value search queries) to specify the package. Supply this argument multiple times for multiple entries.

Here is an example of what this portion of a mirror command looks like:

--exclude_spec pytorch

--include_spec - Include a package, or a specific version of a package, that would otherwise be excluded by the --exclude_spec argument. Supply this argument multiple times for multiple entries.

Here is an example of what this portion of a mirror command looks like:

--include_spec pytorch==1.21.1

--cve_score - Removes all files that are associated with a CVE that has a score equal to or higher than the threshold value set here. CVE scores range from 0-10 and can contain up to one decimal point value.

Here is an example of what this portion of a mirror command looks like:

--cve_score 7.1

--exclude_uncurated_cve_packages - Removes all files that are associated with uncurated CVEs in the repository. Supply this argument with either a True or False tag.

Here is an example of what this portion of a mirror command looks like:

--exclude_uncurated_cve_packages True

--date_from - Specifies the start of a date range denoting when a conda package was published. Works in tandem with the --date_to filter. The date range format is YYYY-MM-DD. The --date_from value must be earlier in the timeline than the --date_to value.

--date_to - Specifies the end of a date range denoting when a conda package was published. Works in tandem with the --date_from filter. The date range format is YYYY-MM-DD.

Here is an example of what this portion of a mirror command looks like:

--date_from 2022-03-01 --date_to 2022-05-15

A maximum span of one year is allowed between the start and end of the date range.

Viewing mirror status

To view the status of a mirror on a channel, run the following command:

conda repo mirror --show <MIRROR_NAME> --channel <CHANNEL_NAME>

Here is an example of what the return for your command will look like:

(base) ➜  ~ conda repo mirror --show boa --channel snakes
    Mirror Details:
    ---------------
    id: 29a15c15-49fc-4275-91c3-633129c6233c
    name: boa
    type: conda
    mode: active
    state: completed
    source root: http://repo.anaconda.com/pkgs/main
    Last run at: 2023-05-30T00:01:00.033756+00:00
    Updated at: 2023-05-30T00:06:11.705000+00:00
    created:
    cron: 0 0 * * *
    proxy:
    filters:
        only_specs               | ['numba', 'pytorch', 'pandas', 'panels', 'python==3.9']

Stopping a mirror

To stop an in-progress mirror, run the following command:

conda repo mirror --stop <MIRROR_NAME>

Restarting a mirror

To restart a stopped mirror, run the following command:

conda repo mirror --restart <MIRROR_NAME>

Updating mirrors

Specifications for existing mirrors can be updated at any time by supplying the --update argument, along with the names of the mirror being updated and the channel that contains the mirror. Use the same mirror arguments as when creating a mirror to alter its configurations.

To update an existing mirror, run the following command:

# Replace <MIRROR_NAME> with the name of the mirror you want to delete
# Replace <CHANNEL_NAME> with the name of the channel that contains the mirror
# Replace <ARG> with additional arguments for the mirror command
conda repo mirror --update <MIRROR_NAME> --channel <CHANNEL_NAME> --<ARG> --<ARG> --<ARG>

Here is an example of what an update command looks like:

conda repo mirror --update boa --channel snakes --only_spec jupyterhub --only_spec airflow --only_spec django --type conda --mode active --run_now

If you do not include the --run_now argument, your mirror will update on its next scheduled run. You can always run --conda repo mirror --update <MIRROR_NAME> --channel <CHANNEL_NAME> --run_now to update your mirror without changing any parameters.

Updating a mirror replaces its current contents with what you specify in the update command.

Deleting mirrors

To delete a mirror, run the following command:

# Replace <MIRROR_NAME> with the name of the mirror you want to delete
# Replace <CHANNEL_NAME> with the name of the channel that contains the mirror
conda repo mirror --delete <MIRROR_NAME> --channel <CHANNEL_NAME>

Packages

Viewing channel packages

To view a list of packages contained within a channel, run the following command:

# Replace <CHANNEL_NAME> with the channel name
conda repo channel --list-packages <CHANNEL_NAME>

Viewing channel package details

To view the details of a channel’s packages, run the following command:

# Replace <CHANNEL_NAME> with the channel name
conda repo channel --list-file <CHANNEL_NAME> --full-details

This will return a JSON formatted list of all the files in a given channel and their metadata, to include:

  • CKEY
  • CVE score
  • CVE status
  • File name
  • Package name
  • Platform
  • Version

Copying a package to a channel

To copy a package to a channel, run the following command:

# Replace <ORIGIN_CHANNEL> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel you want to copy the package to
conda repo copy <ORIGIN_CHANNEL>::<PACKAGE_NAME> --destination <DESTINATION_CHANNEL>

This retains the package on the origin channel and adds it to the destination channel.

Copying a package to a subchannel

To copy a package to a subchannel, run the following command:

# Replace <ORIGIN_CHANNEL> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel that contains your subchannel
# Replace <DESTINATION_SUBCHANNEL> with the name of the subchannel you want to copy the package to
conda repo copy <ORIGIN_CHANNEL>::<PACKAGE_NAME> --destination <DESTINATION_CHANNEL>/<DESTINATION_SUBCHANNEL>

This retains the package on the origin channel and adds it to the destination subchannel.

Moving a package to a channel

To move a package to a channel, run the following command:

# Replace <ORIGIN_CHANNEL> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel that contains your subchannel
conda repo move <ORIGIN_CHANNEL>::<PACKAGE_NAME> --destination <DESTINATION_CHANNEL>

This removes the package from the origin channel and adds it to the destination channel.

Moving a package to a subchannel

To move a package to a subchannel, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel containing the package
# Replace <PACKAGE_NAME> with the name of the package you want to copy
# Replace <DESTINATION_CHANNEL> with the name of the channel that contains your subchannel
# Replace <DESTINATION_SUBCHANNEL> with the name of the subchannel you want to copy the package to
conda repo move <CHANNEL_NAME>::<PACKAGE_NAME> --destination <DESTINATION_CHANNEL>/<DESTINATION_SUBCHANNEL>

This removes the package from the origin channel and adds it to the destination channel.

Deleting a package from a channel

To delete a package from a channel, run the following command:

conda repo remove <CHANNEL_NAME>::<PACKAGE_NAME>

Deleting a package from a subchannel

To delete a package from a channel, run the following command:

conda repo remove <CHANNEL_NAME>/<SUBCHANNEL_NAME>::<PACKAGE_NAME>

Tokens

Authorization tokens can be created by users and admins to provide others with access to private/authenticated channels or with a specific set of permissions within Package Security Manager. For more information, see Authorization Tokens.

Scopes

Scopes are fine-grained permissions that you can embed within a token to limit the potential actions that can be performed while using said token. Scope tokens are especially useful for interacting with software programmatically.

Viewing scopes

To view a list of scopes, run the following command:

conda repo auth --list-scopes

Creating a scope token

To generate a new user authorization token, run the following command:

# Replace <NAME> with a name for your token (this can be anything)
# Replace <SCOPE> with a valid scope
conda repo auth --create --name <NAME> --scopes <SCOPE> --scopes <SCOPE>

Supply the --scopes or -s argument multiple times to include multiple scopes for your token.

Removing a user authorization token

To remove an authorization token from your user, run the following command:

# Replace <TOKEN_ID> with the token you would like to remove
conda repo auth --remove <TOKEN_ID>

Channel service accounts

Channel service accounts are only available in Package Security Manager version 6.6.5 and later.

Listing all channel service accounts

# Replace <CHANNEL_NAME> with the name of your channel
conda repo service-accounts --channel <CHANNEL_NAME> --list-user-ids

Creating a service account token

Creating tokens for a service account provides the account with specified permissions to act on the specified channels. Here are a few ways you might want to implement a channel service account token:

Listing all channel tokens

# Replace <CHANNEL_NAME> with the channel you are listing service account tokens for
conda repo service-accounts --channel <CHANNEL_NAME> --list-tokens

Listing all tokens for a service account

To list all the token IDs associated with a channel’s associated service account, run the following command:

# Replace <CHANNEL_NAME> with the channel you are listing service account tokens for
conda repo service-accounts --channel <CHANNEL_NAME> --list-tokens

To list all the token IDs that a service account has to a specified channel, run the following command:

# Replace <CHANNEL_NAME> with the channel you are listing service account tokens for
# Replace <SA_UID> with the service account User ID
conda-repo service-accounts --channel <CHANNEL> --list-tokens --user-id <SA_UID>

Editing an existing token

You can edit an existing token to change its permission level.

# Replace <TOKEN_ID> with the token you want to edit
# Replace <TOKEN_NAME> with the name of the token you want to edit
# Replace <LEVEL> with the level of permissions you want to give the token (read/write/manage)
conda repo service-accounts --token-id <TOKEN_ID> --name <TOKEN_NAME> --permission <LEVEL> --edit-token

Deleting a Token

# Replace <TOKEN_ID> with the token you want to delete
conda repo service-accounts --token-id <TOKEN_ID> --delete-token

CVEs

Listing CVEs associated with files in your repository

To list the critical vulnerabilities and exposures (CVEs) associated with packages in your repository, run the following command:

conda repo cves --list

This will return the ID of the CVE, the CVE score, CVE type, curation status, the number of packages that are affected by the CVE, and a brief description of the vulnerability.

Showing files associated with a CVE

To view the specific files associated with a CVE, run the following command:

conda repo cves --show-files <CVE_ID>

This provides you with a list of files that are associated with the <CVE_ID> you’ve provided.

Viewing CVE details

To view the details of a specific CVE, run the following command:

conda repo cves --show <CVE_ID>

This will provide the CVE’s CVSS2 and CVSS3 score metrics in addition to the ID of the CVE, the CVE score, CVE type, curation status, publish date, and a brief description of the vulnerability.

Software Bill of Materials (SBOMS)

Download a SBOM for artifact files on your Package Security Manager by running the following command:

# Replace <CHANNEL> with the channel containing the package
# Replace <PACKAGE> with the package name
# Replace <VERSION> with the package version
# Replace <OS> with the operating system architecture of the package
# Replace <FAMILY> with the artifact family (conda, python, cran, anaconda_project, anacconda_env, notebook)
# Replace <CKEY> with the artifacts ckey string
conda repo sbom --channel <CHANNEL> --package <PACKAGE> --version <VERSION> --os <PKG_ARCH> --family <FAMILY> --ckey <CKEY>

An artifact’s CKEY string can be found by viewing package details.

Use the search command to locate packages in your repository:

# Replace <FAMILY> with the artifact family type (conda, python, cran, anaconda_project, anaconda_env, notebook, gra)
# Replace <PACKAGE_NAME> with the name of the package you are searching for
conda repo search --family <FAMILY> <PACKAGE_NAME>

The return provides you with a list of channels containing the package, as well as the package’s version, family, build, license, and platform information. For example, if you need to install pytorch, but don’t know where to locate the package, run the following command:

(base) ➜  ~ conda repo search --family conda pytorch
Channel                        | Name                                     |  Version | Family       | Build      | License         | Platforms
------------------------------ | ---------------------------------------- | -------- | ------------ | ---------- | --------------- | ---------------
birds                          | pytorch                                  |   1.13.1 | conda        | 0          | BSD-3-Clause    | linux-64, osx-arm64, linux-ppc64le, osx-64, linux-s390x, linux-aarch64
snakes                         | pytorch                                  |   1.13.1 | conda        | 0          | BSD-3-Clause    | osx-64, osx-arm64

2 packages found.
Visualizing 2-2 interval.

Viewing your user information

To view your user information at any time, run the following command:

conda repo whoami

The return contains a list of your permissions, your default channel, your username, and your user ID.

Uploading to a channel

The conda repo upload command is used to upload assets to your Package Security Manager repository. You can upload environments, notebooks, packages, projects, and general resource artifacts to a channel for storage and distribution.

To upload an asset (package, project, notebook, environment) to the first channel listed under default_channels: in your .condarc file, run the following command:

# Replace <FILE_PATH> with the path to the package you are uploading
conda repo upload <FILE_PATH>

You can upload multiple assets at the same time with the same command, adding each package location separated with a space:

conda repo upload <FILE_PATH1> <FILE_PATH2>

To specify a destination channel for your upload, run the following command:

# Replace <FILE_PATH> with the path to the artifact you are uploading
# Replace <CHANNEL_NAME> with the channel you want to upload to
conda repo upload <FILE_PATH> --channel <CHANNEL_NAME>

General resource artifact (GRA) uploads require additional information to be included in the upload command:

# Replace <FILE_PATH> with the path to the artifact you are uploading
# Replace <CHANNEL_NAME> with the channel you want to upload to
# Replace <GROUP_NAME> with an artifact group name
# Replace <VERSION> with a version for your artifact upload
conda repo upload <FILE_PATH> --channel <CHANNEL_NAME> --package-type gra --name <GROUP_NAME> --version <VERSION>

Make sure to perform manual security checks on artifacts before uploading them. Automatic security scanning is not provided.

Downloading a notebook from a channel

The conda repo download command allows you to download notebooks from a specified channel.

To download a notebook and save it to the current working directory, run the following command:

# Replace <CHANNEL_NAME> with the name of the channel that contains the notebook
# Replace <NOTEBOOK_NAME> with the name of the notebook you want to download
conda repo download --channel <CHANNEL_NAME> --notebook <NOTEBOOK_NAME>

To specify a target directory to download the notebook to and rename the file, use the --filename option:

# Replace <CHANNEL_NAME> with the name of the channel
# Replace <NOTEBOOK_NAME> with the name of the notebook you want to download
# Replace <PATH_TO_DIRECTORY/NEW_FILENAME> with the path to a directory where the notebook will be saved and (optionally) a new filename
conda repo download --channel <CHANNEL_NAME> --notebook <NOTEBOOK_NAME> --filename <PATH_TO_DIRECTORY/NEW_FILENAME>

If you do not include a filename with the directory path, the notebook’s original filename is used.

Downloading artifact report

If you need to know which users are downloading which packages from a given channel, you can use the following command:

# Replace <START_DATE> with the beginning of a date range (the format is YYYY-MM-DD)
# Replace <END_DATE> with the end of a date range (the format is YYYY-MM-DD)
# Replace <TYPE> with an output file type for your report (can be json or csv)
# Replace <USERS> with a comma separated list of users to report on
# Replace <CHANNELS> with a comma separated list of channels to report on
# Replace <REPORT> with a name for your report download file
conda repo report --date_from <START_DATE> --date_to <END_DATE> --file-type <TYPE> --user_names <USERS> --channels <CHANNELS> --filename <REPORT>

Here is an example of what a download history report command looks like:

conda repo report --date_from 2023-01-01 --date_to 2023-03-30 --file-type json --user_names user1, user2, user3, user5 --channels anaconda, snakes --filename anaconda_server_usage_report_Q1_2023

You can specify a location for your <REPORT> with a file path, such as /User/tmp/SBOM_report.json. If no location is specified, the report will be placed in your current working directory.

A maximum span of one year is allowed between the start and end of the date range.

Further assistance

To view the conda repo commands in the terminal, run the command:

conda repo --help

Similarly, appending --help or the shorthand -h to a command will provide you with further actions you can take, such as the following:

conda repo wizard --help
conda repo channel --help
conda repo mirror --help
conda repo upload --help
conda repo report --help
conda repo sbom --help
conda repo auth --help

Was this page helpful?

Logging in/out of Package Security ManagerChannels