Skip to main content
Package Firewall proxies package installations between your private registry and the public package indexes, evaluating each request in real time before download. Use a policy to control which installations are blocked or allowed. For packages that fail the policy, you can either block the download or allow it and record a warning in Package Firewall logs. Configure the Package Firewall policy to either block a package installation, or allow it and record a warning in Package Firewall logs.
  • Block: Prevents the package installation and returns an error. Select this action when you want to ensure the package never reaches your environment.
  • Warn: Allows the package installation and logs it as a warning event. Select this action when you want visibility without risking build interruptions.
Endor Labs blocks or warns package installations based on the conditions you configure in the policy.
  • Exceptions: Specify packages to exclude from enforcement. When a package matches an exception, Package Firewall skips all checks and allows the installation. Exceptions override other conditions such as restricted licenses and minimum package age, making them useful for approved packages that must remain available for critical builds and package installation workflows. You can define exceptions for a single version, multiple versions, or a version range. For version ranges, the lower bound is inclusive and the upper bound is exclusive. If you do not configure version limits, the exception applies to every version of that package for the selected ecosystem. Exceptions apply only to the packages explicitly listed and do not cover transitive dependencies. If a transitive dependency is flagged, it is blocked even if the parent package has an exception. Add that package as a separate exception to allow its installation.
  • Vulnerabilities: Set a CVSS severity threshold. Endor Labs uses CVSS 3.x by default and evaluates vulnerability severity using that version. You can change the CVSS version for your namespace in System Settings. If a package has a known vulnerability at or above this threshold, the configured policy action is applied.
  • Restricted licenses: You can define a list of SPDX licenses that your organization considers restricted. If a package version matches one of these licenses, Endor Labs applies the configured policy action, helping enforce legal and open-source compliance at install time.
  • Minimum package age: Set a minimum number of hours that must pass after a version is published before it is considered safe. If a version is newer than this threshold, Endor Labs applies the configured policy action, mitigating risk from newly released packages.
Endor Labs records every package installation request together with the action taken. See View Package Firewall logs to learn more.

Configure the Package Firewall policy

You can configure the Package Firewall policy to block or warn installations based on malware detection, exceptions, vulnerabilities, restricted licenses, and minimum package age conditions. The Package Firewall evaluates each package against the policy in the following order: Exceptions → Malware → Vulnerability → Restricted License → Minimum Package Age. If a package is listed as an exception, all remaining checks are skipped. If a check matches and the action is Warn, the event is logged and the evaluation continues. If the action is Block, the installation is blocked and the remaining checks do not run. Before configuring the policy, set up a Package Firewall integration in your namespace. See Package Firewall for more information.
  1. Select User menu > Policies & Rules from the left sidebar.
  2. Select Package Firewall Policies.
  3. Under Malware, choose Block or Warn if malware is detected in the package.
  4. Under Vulnerability, set the CVSS severity threshold to High or Critical. Select None to disable vulnerability detection. Choose Block or Warn when a package version has a vulnerability at or above the selected threshold.
  5. Under Restricted licenses, search for and add the licenses you want to restrict. You can search by the SPDX name or identifier of the license. Choose Block or Warn when a package version declares one of the specified licenses.
  6. Under Minimum package age, enter the minimum number of hours that must have passed since a package version was published before it can be installed. Choose Block or Warn when a version is newer than the specified threshold.
  7. Click Add Exceptions to add packages that bypass the Package Firewall entirely, skipping all malware, vulnerability, license, and minimum-age checks for those installations.
  8. Select the Package manager.
  9. Enter the exact package name.
  10. Optionally, toggle on Specific versions for the package, else all versions of the package bypass the Package Firewall and are installed without checks.
    • Select Exact version and enter the version to exclude from the Package Firewall.
    • Select Version range and enter the lower and upper bounds to exclude from the Package Firewall. The lower bound is inclusive, and the upper bound is exclusive. For example, a range of 1.1.3 to 3.0.0 matches version 1.1.3, but not 3.0.0.
    Select the plus icon to add more exceptions.
  11. Click Save to save the exceptions. To update an exception, click the vertical three dots and select Edit. You can update the versions, package name, and package manager. To delete an exception, click the vertical three dots and select Delete.
  12. Click Save to save the policy.