HOWTO: Scan for Installed Chocolatey Packages on a Server
  • 29 Aug 2022
  • 4 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Scan for Installed Chocolatey Packages on a Server

  • Dark
    Light
  • PDF

If a critical bug or security vulnerability is discovered in a package, identifying which servers are using the affected package will be crucial. ProGet’s Package Usage Scanning feature provides valuable insight into which packages are installed on which servers.

This guide will walk through how to use Otter to scan servers for installed Chocolatey packages and integrate ProGet with Otter to see which Chocolatey packages are installed on which server.

Using Otter to Scan Servers for Installed Packages.

Otter helps you provision, manage, and configure your servers automatically. You can define reusable sets of configurations called roles, and then scale your infrastructure by simply assigning these roles to any number of servers.

Scanning your server for installed packages is a feature available in the free edition!

Step 1: Connect Otter to Your Server

If you don't already have Otter installed and configured, you'll first need to do that. You can install Otter on the same server that ProGet is hosted on, or any server of your choice. Otter can then scan other servers that you set-up.

Otter can be installed on any supported version of Windows. Simply download and click through the installer to get Otter up and running in minutes. Otter can also be installed on Linux using Docker.

After Otter is installed, you need to connect Otter to the servers you wish to scan for Chocolatey packages. For details on how to add your server to Otter, read our installation guide.

Step 2: Install Chocolatey Extension in Otter

Before Otter can scan your server for Chocolatey Packages the Chocolatey extension will need to be installed.

Navigate to Administration Overview> Software System & Configuration> Extensions> Available Extensions> Chocolatey.

Step 3: Setup Configuration Drift

Otter can be setup to monitor configuration drift and detect if the desired and current configuration are not the same. Read our docs to learn how to create and automate drift remediation jobs.

For the purposes of scanning your server for installed chocolatey packages, the configuration drift can be set at Verify/report only.

Navigate to Servers> Server> Overview> Details > Configuration Drift

Configuration Drift Settings

Check the box next to Configuration drift and select the Do not remediate (report only) option. These are the minimum settings needed for Otter to detect your Chocolatey packages, however, the other Drift remediation options will work as well.

Server Configuration Drift

Under the Overview tab, you can view and update your configuration drift settings.

Step 4: Configure Package Scanning

Next, package scanning will need to be configured to tell Otter what packages to look for.

Navigate to Servers> Server> Installed Packages & Containers> Configure, then check the box next to Collect Chocolatey Packages.

Chocolatey Package Scanning

After saving, you should see your installed Chocolatey packages.

Chocolatey Packages

If you do not see your Chocolatey packages at this point, skip down to the troubleshooting section.

Step 5: Create an API Key

In order to Integrate Otter with ProGet, you will need to create an API key in Otter.

In Otter, navigate to Administration Overview> Security & Authentication> API Keys & Access Logs. Click on Create API key and fill in the relevant information.

Create API Key

For the purposes of this guide, the only required setting for the API key is Grant access to the Package/Container Usage API.

Integrating ProGet with Otter for Package Usage Scanning

Now that Otter is set up, it can be integrated with ProGet to show which Chocolatey packages are being used in which servers. Package Usage Scanning works with remote packages, so it's not necessary to have packages local or cached.

Step 1: Create a Chocolatey Feed in ProGet

You will need to create a Chocolatey feed in ProGet if you do not already have one. To create a new feed, navigate to the banner at the top of the page and click on feeds. Next select Create New Feed.

Create a New Feed in ProGet

Since this feed will be used for Chocolatey packages, create a Chocolatey feed.

Chocolatey Feed

Now that your feed is created it will need to be connected to chocolatey.org. Click on add connector and fill in the relevant information.

Create Connector

Step 2: Connect Chocolatey Feed to Otter

In ProGet, navigate to Feeds > Feed> Manage Feed> Detection & Blocking> “Configure Package Usage Scanning”.

Configure Package Usage Scanning

Enter in the API key you created in Otter & your Otter base URL.

Create Package Scanner

Step 3: Run Package/Container Scanning

To immediately see your scanned Chocolatey packages, you will need to manually run the Package/Container scanner.

Navigate to Administration Overview > ProGet Server Status> Manage Service> Service Status> Package/Container Scanner > "Run"

Package Scanner

Step 4: Check Package Usage Scanning

Now that everything is set up the Package Usage Scanning feature can be utilized!

First, navigate to your preferred package in ProGet. Once you have selected the package, navigate to Usage & Statistics and you will be able to see the package usage details under Package Usage.

Package Usage

Troubleshooting

Chocolatey packages are not showing up in Otter

If you have configured package scanning to collect Chocolatey packages, but you still do not see them, you may need to manually restart Otter for the Chocolatey packages to be scanned.

Navigate to Administration Overview > Otter Service Status> Manage Service > "Restart".

Restart Web

After the restart is complete, navigate back to Installed Packages & Containers in your server and you should see your installed Chocolatey packages.


Was this article helpful?

What's Next