Skip to main content

Create and setup a Package Firewall

Use Package Firewall to block harmful open-source packages, vulnerabilities, malware, and policy violations to stop threats before they reach your development pipelines.

Create a firewall

Create a firewall to block harmful open source packages.

Before you begin:

  • You must have a Veracode account in the Commercial region with the Policy Administrator or Security Lead role. Package Firewall currently doesn't support accounts in the European region or the United States Federal region.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select NEW FIREWALL.
  4. Add a name for the firewall, then select ADD FIREWALL.

Manage policies

Package Firewall uses a policy framework to evaluate dependencies and provide tailored results. A default set of policies applies automatically to all newly created firewalls. You can also create custom policies and add the custom policy to the policy framework. In addition, you can configure a policy by turning individual policy rules on or off in the Package Firewall interface.

note

Custom policies are not related to Veracode security policies.

Before you begin:

  • You must have a Veracode account in the Commercial region with the Policy Administrator or Security Lead role. Package Firewall currently doesn't support accounts in the European region or the United States Federal region.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select the firewall for which you want to modify the policy.
  4. Navigate to the Policy tab.
  5. Use the toggle next to each policy to turn the policy on or off.
  6. You can select the checkbox next to a policy to turn on Warn-only policy. When this option is selected, Package Firewall issues a warning but does not block the package.

Add a custom policy

You can add a custom policy to Package Firewall. After you add it, it is available across all the firewalls that you have. See here for instructions on creating a custom policy.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select UPLOAD POLICY.
  4. Drag your policy file into the screen or select the policy file from the File Explorer. If a valid Rego file is uploaded, the interface prompts you to verify the title, version, and description. Review the details and update them if needed.
  5. Select CONFIRM. The metadata is updated according to the title, version, and description provided.
  6. Select SUBMIT.

Remove a custom policy

You can remove a custom policy from Package Firewall.

Before you begin:

  • The custom policy that you want to remove must be inactive in all of your firewalls.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select the firewall for which you want to modify the policy.
  4. Navigate to the Policy tab.
  5. Navigate to the custom policy that you want to remove, then select the delete icon.
  6. On the popup, select DELETE.

Add exceptions

You can permit specific packages that violate a policy or package versions whose code analysis is incomplete.

Before you begin:

  • You must have a Veracode account in the Commercial region with the Mitigation Approver or Security Lead role. Package Firewall currently doesn't support accounts in the European region or the United States Federal region.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select the firewall for which you want to manage exceptions.
  4. Navigate to the Exceptions tab.
  5. To allow incomplete package versions, select ALLOW INCOMPLETE. A pop-up appears. To allow all incomplete packages, select Allow all. To allow a specific package version, select Specific package version and complete the required fields. Select Submit.
  6. To allow packages that violate the policy, select GRANT EXCEPTION. A pop-up appears. Complete the required fields and select Submit.

Review firewall activity

Use this tab to view a summary of recent firewall traffic. To review analysis results for a specific package version installed through the firewall, select the package name from the dropdown list. The results for that package appear after you make a selection and show why the package version failed analysis and was blocked by the firewall.

By default, Package Firewall treats unprocessed packages as failures to prevent running code that has not been analyzed. Any unprocessed package is automatically staged for processing, so the safest option is to wait until processing completes.

You can add exceptions to bypass this behavior.

A package version can fail analysis for one of the following reasons:

  • It violates one or more policies. The violated policies are listed in the results.
  • It’s incomplete, and the firewall isn’t configured to accept incomplete packages. This can happen when the analysis of the package hasn’t completed yet and the firewall policy specifies that incomplete packages shouldn’t be accepted.

Before you begin:

  • You must have a Veracode account in the Commercial region with the Administrator, Reviewer, Submitter, Mitigation Approver, Policy Administrator, or Security Lead role for Package Firewall. Package Firewall currently doesn't support accounts in the European region or the United States Federal region.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select the firewall you want to monitor.
  4. To view the analysis overview, navigate to the Activity tab.

View package downloads

View a list of downloaded packages.

Before you begin:

  • You must have a Veracode account in the Commercial region with the Administrator, Reviewer, Submitter, Mitigation Approver, Policy Administrator, or Security Lead role. Package Firewall currently doesn't support accounts in the European region or the United States Federal region.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Select the firewall for which you want to view package downloads.
  4. To view download activity, navigate to the Downloads tab.

Remove a firewall

You can remove a firewall if you no longer need it to scan your open-source packages.

Before you begin:

  • You must have a Veracode account in the Commercial region with the Policy Administrator or Security Lead role. Package Firewall currently doesn't support accounts in the European region or the United States Federal region.

To complete this task:

  1. Sign in to the Veracode Platform.
  2. Select Policies > Firewall.
  3. Navigate to the firewall you want to remove, then select the DELETE button.
  4. A pop-up appears with a warning. Select DELETE.
Last updated on