Skip to main content
Package Firewall offers real-time protection against malicious packages during software installations. It safeguards your software supply chain by preventing malicious packages from reaching your developers. Positioned between package managers and public package registries, it blocks the installation of known malicious packages by default while allowing safe packages to install normally. Security teams often discover malware only after it enters your environment, forcing reactive cleanup. Package Firewall closes this gap by intercepting every package installation request before it completes. It blocks any malicious package instantly and returns an error, so the package never reaches your environment. Legitimate packages pass through unchanged, keeping your developers productive and your pipeline secure. Package Firewall checks every package in the dependency tree individually, including transitive dependencies. If it flags any dependency, the installation is blocked. Configured policies apply to transitive dependencies as well. See How it works for more details.

Get started

1

Route traffic through Package Firewall

Choose the integration that fits your environment: JFrog Artifactory, direct integration, or deploy to developer machines with MDM.
2

Configure a Package Firewall policy

Define how the firewall responds to flagged packages: block or warn on malware, vulnerabilities, restricted licenses, and minimum package age, and set exceptions. See Package Firewall policy.
3

View results

Confirm the firewall blocks malware and review every recorded event. See View Package Firewall logs.

How it works

Package Firewall inspects each package request before the package is downloaded. When a developer or CI pipeline requests a package, the request routes through the firewall, either directly or through a private registry such as JFrog Artifactory.
  1. Route traffic through Package Firewall: Your package manager or private registry forwards each request to the firewall so that it evaluates every package before the download completes.
  2. Authenticate and control access: Package Firewall verifies that each request presents an Endor Labs API key with the Package Firewall User role.
  3. Evaluate each package request: For each request, Package Firewall parses the ecosystem, package name, and version, and checks it against the Endor Labs malware database. If you configure a Package Firewall policy, the firewall also evaluates vulnerabilities, restricted licenses, and minimum package age. You can define exceptions that let specific packages bypass all checks, so critical builds and workflows continue uninterrupted.
  4. Take action: Based on the malware check and policy conditions, Package Firewall takes the configured action on the request and records an event with the package, version, and reason. You can set each condition (malware, vulnerabilities, restricted licenses, and minimum package age) to one of two responses:
    • Warn: Records the event and allows the package installation without interrupting your CI pipeline.
    • Block: Prevents the package installation entirely and returns an error.
    When a package passes all checks, the installation proceeds and no log is recorded.
  5. Record events in Package Firewall logs: Package Firewall records the actions the firewall takes on package installation requests, which is helpful for debugging and compliance. The logs include details such as the package, version, time of the event, and the reason the firewall flagged the package. See View Package Firewall logs for more details.