Skip to main content
Configure JFrog Artifactory to use the Package Firewall URL as its remote source instead of upstream package registries. Every package installation request flows through Endor Labs, so the Package Firewall can block known malicious packages before they reach your environment. The Package Firewall evaluates each package request based on the malware check and the configured Package Firewall policy conditions, and handles each request in one of three ways:
  • Block the installation and Artifactory returns HTTP 404 if the package is found in the Endor Labs malware database, or if a policy condition matches with Block. The Package Firewall records a log with the package, version, and reason.
  • Allow the installation if a policy condition matches with Warn. The Package Firewall records a warning log with the package, version, and reason.
  • Allow the installation if no malware is detected. No log is recorded.
Artifactory returns a generic HTTP 404 on blocking a request without surfacing the specific reason. To return the specific reason to developers, use direct integration instead.
JFrog Artifactory requirementYou must have a JFrog Artifactory instance with permission to create remote repositories and configure credentials.

Configure the Package Firewall

Complete the following steps to integrate JFrog Artifactory with the Endor Labs Package Firewall:
  1. Create an API key for the Package Firewall.
  2. Configure JFrog Artifactory.
  3. Local setup for developers.
  4. Verify your setup.

Create an API key for the Package Firewall

Create an API key dedicated to the Package Firewall so that can authenticate to it. You can create it through one of the following methods:
  • Using the Endor Labs user interface, with the Package Firewall User role. See API keys to learn more.
  • Using endorctl, with the SYSTEM_ROLE_PACKAGE_FIREWALL role. Make sure to install and configure endorctl before you create the key.
To create the key using endorctl, run the following command and replace:
  • <namespace> with your namespace.
  • <API key name> with the name of the API key for the Package Firewall use case.
  • <YYYY-MM-DDTHH:MM:SSZ> with the API key expiration in ISO 8601 UTC format, for example 2026-12-31T23:59:59Z.
export NAMESPACE="<namespace>"
export KEY_NAME="<API key name>"

endorctl api create -r APIKey -n "$NAMESPACE" --data '{
  "meta": { "name": "'"$KEY_NAME"'" },
  "spec": {
    "permissions": { "roles": ["SYSTEM_ROLE_PACKAGE_FIREWALL"] },
    "expiration_time": "<YYYY-MM-DDTHH:MM:SSZ>"
  },
  "propagate": true
}'
From the response, save the following values in a secure location. Use them as your Package Firewall credentials when you configure the JFrog Artifactory remote repository.
  • API key: spec.key
  • API secret: spec.secret

Configure JFrog Artifactory

Configure a remote repository in JFrog Artifactory for each package type you want to route through the Package Firewall. Use the steps below for npm, PyPI, or Go packages.
  1. Log in to JFrog Artifactory.
  2. Select Administration > Repositories from the left sidebar.
  3. Click Create a Repository and select Remote.
  4. Select npm as the package type.
  5. Enter a Repository Key, for example endor-firewall-npm.
  6. Enter the repository URL: https://factory.endorlabs.com/v1/namespaces/<namespace>/firewall/npm/. Replace <namespace> with your Endor Labs namespace.
  7. Enter the User Name and Password you saved when creating the API key.
  8. Click Create Remote Repository. Configure npm
  1. Log in to JFrog Artifactory.
  2. Select Administration > Repositories from the left sidebar.
  3. Click Create a Repository and select Remote.
  4. Select PyPI as the package type.
  5. Enter a Repository Key, for example endor-firewall-pypi.
  6. Enter the repository URL: https://factory.endorlabs.com/v1/namespaces/<namespace>/firewall/pypi/. Replace <namespace> with your Endor Labs namespace.
  7. Enter the User Name and Password you saved when creating the API key.
  8. In PyPI Settings, set Registry URL to the same URL you entered in step 6.
  9. Click Create Remote Repository. Configure PyPI
The Package Firewall uses a virtual repository URL that aggregates one or more Go remote repositories. Each remote repository routes Go module requests through the Package Firewall. The virtual repository gives clients a single endpoint that forwards each request to the matching remote repository. You can use a single virtual repository to link all Go remote repositories.To create a Go remote repository:
  1. Log in to JFrog Artifactory.
  2. Select Administration > Repositories from the left sidebar.
  3. Click Create a Repository and select Remote.
  4. Select Go as the package type.
  5. Enter a Repository Key, for example endor-firewall-go.
  6. Enter the repository URL: https://factory.endorlabs.com/v1/namespaces/<namespace>/firewall/go/. Replace <namespace> with your Endor Labs namespace.
  7. Enter the User Name and Password you saved when creating the API key.
  8. Click Create Remote Repository. Create Go remote repository
To create a virtual repository:
  1. Select Administration > Repositories from the left sidebar.
  2. Click Create a Repository and select Virtual.
  3. Select Go as the package type.
  4. Enter a Repository Key, for example endor-firewall-go-virtual.
  5. Under Repositories, select the remote repositories you want to add and click >.
  6. Click Create Virtual Repository. Create Go virtual repository
Your Go remote and virtual repositories are now configured to route module requests through the Package Firewall.

Local setup for developers

Update your package manager to use Artifactory as its source, routing all installs through the Package Firewall instead of the public registry. Once you create the Artifactory remote:
  1. Navigate to Administration > Repositories.
  2. Click the vertical three dots next to the repository you configured and select Set Me Up. For Go, select the virtual repository you created.
  3. Enter Your JFrog account password if prompted.
  4. Click Generate Token & Create Instructions.
  5. Follow the instructions to configure your local machine based on your package type. Edit .npmrc for npm or pip.conf for pip. For Go modules, select Resolve, copy the URL it provides, and run the following command. Replace <virtual-repository-url> with the copied URL. Ensure to URL-encode any @ in the username as %40. 
    go env -w GOPROXY=<virtual-repository-url>
    Refer to JFrog Artifactory documentation for more information.
  1. Run the following command to verify that your local client is pointing to the Artifactory repository. Ensure the output matches the Artifactory remote URL you configured, or the virtual repository URL for Go modules.
    • For npm packages, run npm config get registry.
    • For PyPI packages, run pip3 config list | grep index-url.
    • For Go modules, run go env GOPROXY.

Verify your setup

To verify your setup, install a package that Endor Labs has classified as malware. The Package Firewall should block the installation and return an HTTP 404. The following are examples of packages classified as malware by Endor Labs.
Run the following command to test the Package Firewall with npm.
npm install endor-firewall-test@1.0.0
When the Package Firewall blocks the package, the output looks similar to the following. The E404 error code and 404 Not Found response confirm that the firewall blocked the package.
npm error code E404
npm error 404 Not Found - GET https://johndoe.jfrog.io/artifactory/api/npm/johndoe/endor-firewall-test/-/endor-firewall-test-1.0.0.tgz
npm error 404
npm error 404  The requested resource 'endor-firewall-test@https://johndoe.jfrog.io/artifactory/api/npm/johndoe/endor-firewall-test/-/endor-firewall-test-1.0.0.tgz' could not be found or you do not have permission to access it.
npm error 404
npm error 404 Note that you can also install from a
npm error 404 tarball, folder, http url, or git url.
Run the following command to test the Package Firewall with pip.
pip install endor-firewall-test==1.0.0
When the Package Firewall blocks the package, the output looks similar to the following. The 404 response confirms that the firewall blocked the package.
Defaulting to user installation because normal site-packages is not writeable
Looking in indexes: https://johndoe.jfrog.io/artifactory/api/pypi/johndoe/simple
Collecting endor-firewall-test==1.0.0
ERROR: HTTP error 404 while getting https://johndoe.jfrog.io/artifactory/api/pypi/johndoe/packages/packages/61/05/6e99035fec6c7e407fffc052a0060495f6a2fcae2143db3239c7399d5b6e/endor_firewall_test-1.0.0-py3-none-any.whl#sha256=4df734939186708c595e72e50f5d31296d2ea9e54d5a0afc9e69d4e7d6f0d4b9 (from https://johndoe.jfrog.io/artifactory/api/pypi/johndoe/simple/endor-firewall-test/) (requires-python:>=3.7)

ERROR: Could not install requirement endor-firewall-test==1.0.0 from https://johndoe.io/artifactory/api/pypi/johndoe/packages/packages/61/05/6e99035fec6c7e407fffc052a0060495f6a2fcae2143db3239c7399d5b6e/endor_firewall_test-1.0.0-py3-none-any.whl#sha256=4df734939186708c595e72e50f5d31296d2ea9e54d5a0afc9e69d4e7d6f0d4b9 because of HTTP error 404 Client Error:  for url: https://johndoe.jfrog.io/artifactory/api/pypi/johndoe/packages/packages/61/05/6e99035fec6c7e407fffc052a0060495f6a2fcae2143db3239c7399d5b6e/endor_firewall_test-1.0.0-py3-none-any.whl for URL https://johndoe.jfrog.io/artifactory/api/pypi/johndoe/packages/packages/61/05/6e99035fec6c7e407fffc052a0060495f6a2fcae2143db3239c7399d5b6e/endor_firewall_test-1.0.0-py3-none-any.whl#sha256=4df734939186708c595e72e50f5d31296d2ea9e54d5a0afc9e69d4e7d6f0d4b9 (from https://johndoe.jfrog.io/artifactory/api/pypi/johndoe/simple/endor-firewall-test/) (requires-python:>=3.7)
Run the following command to test the Package Firewall with Go.
go install github.com/endorlabstest/endor-firewall-test@v1.0.0
When the Package Firewall blocks the package, the output looks similar to the following. The 404 response confirms that the firewall blocked the package.
go get github.com/endorlabstest/endor-firewall-test@v1.0.0
go: github.com/endorlabstest/endor-firewall-test@v1.0.0: reading https://johndoe.com:xxxxx@johndoe.jfrog.io/artifactory/api/go/go-firewall-test-virtual/github.com/endorlabstest/endor-firewall-test/@v/v1.0.0.info: 404
After you confirm that the Package Firewall blocks malware, you can view the recorded events. See View Package Firewall logs to learn more.

Troubleshooting and FAQ

If Endor Labs flags a package as malware after Artifactory cached it, Artifactory continues to serve it until the cache expires. Use a short cache duration to reduce that window.
  • Verify that the Package Firewall URL in Artifactory is correct.
  • Ensure network connectivity from Artifactory to the Package Firewall.
  • Ensure the firewall rules allow outbound connections from Artifactory.
  • Verify the API key and secret are correct and that the key has the Package Firewall User role.
  • Ensure that the credentials are in the format Artifactory expects.
  • Check the Artifactory logs for authentication errors.
  • Verify that Artifactory has sufficient storage for the cache.
  • Set cache expiration to short durations so that more requests hit the Package Firewall.
  • Check the cache hit and miss rates. Clear the cache if you need to test with a fresh request.