Getting Started with pgutil

pgutil is an open-source (github.com), cross-platform command line tool that's easy to download and install.

Installation & Configuration

Commands & Usage

$> pgutil

    .--. --. ..- - .. .-..
        pgutil v1.0.0
    .--. --. ..- - .. .-..

Description:
  Perform operations against a ProGet server.

Usage:
  pgutil [command] [options]

Options:
  -?, --help  Show help and usage information

Commands:
  sources   Manages the list of sources located in the configuration file located at
            C:\Users\sdennis\AppData\Roaming\pgutil\pgutil.config
  packages  Work with packages on a ProGet server
  vulns     Audit packages and assess vulnerabilities
  builds    Manage SCA builds and SBOM documents
  licenses  Manage license definitions and audit package licenses

Working with Sources

To help manage urls, feeds, and credentials (API keys), you can register one or more "sources" with pgutil. These sources are stored in the configuration file located at %appdata%\pgutil\pgutil.config (Windows) and ~/.config/pgutil/pgutil.config (Mac/Linux).

Adding Sources to pgutil

The sources add command is used to add a source to the configuration file.

At a minimum, a source requires a name (e.g. Default) and a ProGet server url (e.g. https://proget.corp.local/), but you you'll likely also want to add an API key (e.g. abc12345).

pgutil sources add --name=Default --url=https://proget.corp.local/ --api-key=abc12345

Instead of specifying --api-key, you can specify a username and password (e.g.
--username devbuilds --password myP@ssw0rd). However, API keys are generally recommended, especially since sources are persisted in configuration files.

"Default" source

A source named "Default" has special behavior. When a source name is not specified in other commands, then "Default" will be used. This means that, when there is a "Default" source, then that will be used on all commands unless --source is specified instead.

Passwords and Encryption

Unless you specify the --plain-text option, Passwords and API Keys will not be stored in plain text. Instead, they will be obscured from casual consumption using a Data Protection scheme . However, note that anyone with pgutil will be able to read and decode the password or API key.

Test Sources Added to pgutil

The sources test command is used to test the connections to your sources.

$: pgutil sources test

[Default] Successfully contacted ProGet 24.0.0
[MyOtherServer] Successfully contacted ProGet 23.0.32
[MyBadSource] Error contacting ProGet: invalid host name

If you specify the --name option, then only that source will be tested.

Note that any non-successful test will report a nonzero exit code.

Listing Sources

The sources list command will list all sources located in the configuration file.

$> pgutil sources list

1. Default
   https://api@proget.corp.local/

2. MyPackages (unapproved-nuget feed)
   https://devbuilds@othersource.somewhere.dev/

The sources list command does not require any arguments.

Removing Sources

The sources remove command will remove a source from the configuration file.

$> pgutil sources remove --name=MyPackages

Removed MyPackages source.

Note that you must specify the --name when removing a source, even for the "Default" source.