Veracode Package Firewall
Modern software relies on many third-party packages, which can introduce risks such as malware injection, typosquatting attacks, and license violations. Use Veracode Package Firewall to configure your artifact repositories or package managers to block untrusted packages automatically.
Instead of connecting your system directly to the primary ecosystem registry, connect it to Package Firewall. After you review and configure your Package Firewall policy, the service automatically blocks any package or version that doesn’t comply with the defined rules and helps mitigate risks from unverified sources, known vulnerabilities, and compromised dependencies.
Package Firewall continuously ingests and processes packages across all supported ecosystems to provide near-instant analysis results. If a submitted package has not already been preprocessed, the application takes approximately 30 minutes to acquire the package and run heuristics and rules. This process runs concurrently. Processing one package or 100 packages generally takes the same amount of time.
Package Firewall users can be assigned one of the following roles: Administrator, Reviewer, Submitter, Mitigation Approver, Policy Administrator, or Security Lead user roles. Each role provides a different level of access within Package Firewall. For a summary, see the role table.
Supported ecosystems
The following table lists the supported ecosystem registries and their corresponding custom Veracode registry URLs.
| Ecosystem | Veracode registry URL |
|---|---|
| Cargo | https://cargo.firewall.veracode.com |
| Golang | https://golang.firewall.veracode.com |
| Maven | https://maven.firewall.veracode.com |
| NPM | https://npm.firewall.veracode.com |
| NuGet | https://nuget.firewall.veracode.com |
| PyPI | https://pypi.firewall.veracode.com |
| RubyGems | https://rubygems.firewall.veracode.com |
Set up and use Package Firewall
Configure artifact repositories or package managers to use Package Firewall. For more information, see Connect Package Firewall to package ecosystems.
If your organization does not use JFrog Artifactory or a Sonatype Nexus repository, you can still deploy Package Firewall easily. Use your existing Mobile Device Management (MDM) or endpoint management system to remotely run the Package Firewall configuration command on developers' machines. This approach lets you distribute and enforce the configuration across your environment without relying on a repository manager.