-
Block the installation and Google Artifact Registry returns
HTTP 403if the package is found in the Endor Labs malware database, or if a policy condition matches with Block. The Package Firewall records a log with the package, version, and reason. - Allow the installation if a policy condition matches with Warn. The Package Firewall records a warning log with the package, version, and reason.
- Allow the installation if the package passes all checks. No log is recorded.
HTTP 403 when it blocks a request without surfacing the specific reason. To see why a package was blocked, review the Package Firewall logs.
Required Google Cloud permissions
Ensure that you have the following roles in the Google Cloud project that hosts Artifact Registry:- Artifact Registry Administrator to create remote repositories.
- Secret Manager Admin to create the secret and grant Artifact Registry access to it.
- Service Usage Admin to enable the Secret Manager API.
Configure the Package Firewall
Complete the following steps to integrate Google Artifact Registry with the Endor Labs Package Firewall:- Create an API key for the Package Firewall.
- Store the API secret in Secret Manager.
- Configure Google Artifact Registry.
- Set up local package managers.
- Verify your setup.
Create an API key for the Package Firewall
Create an API key dedicated to the Package Firewall so that can authenticate to it. You can create it through one of the following methods:- Using the Endor Labs user interface, with the Package Firewall User role. See API keys to learn more.
- Using endorctl, with the
SYSTEM_ROLE_PACKAGE_FIREWALLrole. Make sure to install and configure endorctl before you create the key.
<namespace>with your namespace.<API key name>with the name of the API key for the Package Firewall use case.<YYYY-MM-DDTHH:MM:SSZ>with the API key expiration in ISO 8601 UTC format, for example2026-12-31T23:59:59Z.
- API key:
spec.key - API secret:
spec.secret
Store the API secret in Secret Manager
Google Artifact Registry reads the upstream password from Secret Manager, so you must store your API secret there before you configure the remote repository.- Sign in to the Google Cloud console and select your project.
- Search for and select Secret Manager API.
- Click Enable. If you see Manage instead, the API is already enabled.
- Search for and select Secret Manager.
- Create a secret with a name, such as
endor-pkg-firewall-secret, and set the Secret value to your API secret. Refer to Google Cloud documentation to learn how to create a secret.
Configure Google Artifact Registry
Configure a remote repository in Google Artifact Registry for each package type you want to route through the Package Firewall. A remote repository proxies an upstream source, so you set the Package Firewall URL as the custom upstream. Provide your API key as the username and the Secret Manager secret as the password. The remaining repository settings, such as location and cleanup policies, are specific to Google Artifact Registry. Configure them based on your requirements.Google Artifact Registry does not support custom upstream URL for Go remote repositories, so you cannot route Go modules through the Package Firewall with this integration. To route Go modules through the Package Firewall, use JFrog Artifactory or direct integration.
Configure Google Artifact Registry for an npm remote repository
Configure Google Artifact Registry for an npm remote repository
- In the Google Cloud console, go to Artifact Registry > Repositories.
- Click Create Repository.
- Enter a repository name, such as
endor-npm-repository. - Choose npm as the Format.
- Choose Custom in Remote repository source.
- Enter
https://factory.endorlabs.com/v1/namespaces/<namespace>/firewall/npmas the custom repository URL. Replace<namespace>with your Endor Labs namespace. - Choose Authenticated in Remote repository authentication mode.
- Enter your API key (
spec.key) as the Username for the upstream repository. - Under Store your credentials in Secret Manager, select the Secret you created.
- Under Location type, choose Region or Multi-Region and select a location. Refer to Repository locations for details.
- Click Create.
Configure Google Artifact Registry for a Python remote repository
Configure Google Artifact Registry for a Python remote repository
- In the Google Cloud console, go to Artifact Registry > Repositories.
- Click Create Repository.
- Enter a repository name, such as
endor-pypi-repository. - Choose Python as the Format.
- Choose Custom in Remote repository source.
- Enter
https://factory.endorlabs.com/v1/namespaces/<namespace>/firewall/pypias the custom repository URL. Replace<namespace>with your Endor Labs namespace. - Choose Authenticated in Remote repository authentication mode.
- Enter your API key (
spec.key) as the Username for the upstream repository. - Under Store your credentials in Secret Manager, select the Secret you created.
- Under Location type, choose Region or Multi-Region and select a location. Refer to Repository locations for details.
- Click Create.
Configure Google Artifact Registry for a Maven remote repository
Configure Google Artifact Registry for a Maven remote repository
- In the Google Cloud console, go to Artifact Registry > Repositories.
- Click Create Repository.
- Enter a repository name, such as
endor-maven-repository. - Choose Maven as the Format.
- Choose Custom in Remote repository source.
- Enter
https://factory.endorlabs.com/v1/namespaces/<namespace>/firewall/mavenas the custom repository URL. Replace<namespace>with your Endor Labs namespace. - Choose Authenticated in Remote repository authentication mode.
- Enter your API key (
spec.key) as the Username for the upstream repository. - Under Store your credentials in Secret Manager, select the Secret you created.
- Under Location type, choose Region or Multi-Region and select a location. Refer to Repository locations for details.
- Click Create.
Set up local package managers
Configure your local package managers to use the Google Artifact Registry repository as their source, and authenticate with your Google Cloud credentials. Refer to Google’s client setup documentation for npm, Python, and Maven.Verify your setup
To verify your setup, install a package that Endor Labs has classified as malware. The Package Firewall should block the installation and return anHTTP 403.
The following are examples of packages classified as malware by Endor Labs.
npm
npm
Run the following command to test the Package Firewall with npm.When the Package Firewall blocks the package, the output looks similar to the following. The
E403 error code and 403 Forbidden response confirm that the firewall blocked the package.PyPI
PyPI
Run the following command to test the Package Firewall with PyPI.When the Package Firewall blocks the package, the output looks similar to the following. The
403 response confirms that the firewall blocked the package.Maven
Maven
Add When the Package Firewall blocks the package, the output looks similar to the following. The
io.github.endorlabs:endor-java-webapp-demo:4.1 as a dependency in your pom.xml, then run the following command to test the Package Firewall with Maven.403 Forbidden response confirms that the firewall blocked the package.Troubleshooting and FAQ
What if the repository fails to create?
What if the repository fails to create?
Google Artifact Registry validates the upstream URL and credentials when you create a remote repository, and creates it only if the test passes. If it fails, check that the custom repository URL, upstream username, and Secret Manager secret are correct.To skip the check, select Disable upstream validation on the form.
What if Google Artifact Registry has already cached a package that is declared malicious later?
What if Google Artifact Registry has already cached a package that is declared malicious later?
If Endor Labs flags a package as malware after Google Artifact Registry cached it, Google Artifact Registry continues to serve it until the cache expires. Use a short cache duration to reduce that window.
How do I troubleshoot connection issues?
How do I troubleshoot connection issues?
- Verify that the Package Firewall URL set as the custom upstream is correct.
- Ensure network connectivity from Google Artifact Registry to the Package Firewall.
- Ensure the firewall rules allow outbound connections from Google Artifact Registry.
How do I troubleshoot authentication issues?
How do I troubleshoot authentication issues?
- Verify the API key and secret are correct and that the key has the Package Firewall User role.
- Verify that the Secret Manager secret holds the API secret and that the repository can access it.
How do I troubleshoot cache issues?
How do I troubleshoot cache issues?
- Set cache expiration to short durations so that more requests hit the Package Firewall.
- Check the cache hit and miss rates. Clear the cache if you need to test with a fresh request.