> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Package Firewall policy

> Configure how Package Firewall responds to flagged packages, including block and warn actions, exceptions, vulnerabilities, restricted licenses, and minimum package age.

Package Firewall proxies package installations between your private registry and the public package indexes, evaluating each request in real time before download. Use a policy to control which installations are blocked or allowed. For packages that fail the policy, you can either block the download or allow it and record a warning in Package Firewall logs.

Configure the Package Firewall policy to either block a package installation, or allow it and record a warning in Package Firewall logs.

* **Block**: Prevents the package installation and returns an error. Select this action when you want to ensure the package never reaches your environment.
* **Warn**: Allows the package installation and logs it as a warning event. Select this action when you want visibility without risking build interruptions.

Endor Labs blocks or warns package installations based on the conditions you configure in the policy.

* **Exceptions**: Specify packages to exclude from enforcement. When a package matches an exception, Package Firewall skips all checks and allows the installation. Exceptions override other conditions such as restricted licenses and minimum package age, making them useful for approved packages that must remain available for critical builds and package installation workflows. You can define exceptions for a single version, multiple versions, or a version range. For version ranges, the lower bound is inclusive and the upper bound is exclusive. If you do not configure version limits, the exception applies to every version of that package for the selected ecosystem.

  Exceptions apply only to the packages explicitly listed and do not cover transitive dependencies. If a transitive dependency is flagged, it is blocked even if the parent package has an exception. Add that package as a separate exception to allow its installation.

* **Vulnerabilities**: Set a CVSS severity threshold. Endor Labs uses CVSS 3.x by default and evaluates vulnerability severity using that version. You can change the CVSS version for your namespace in [System Settings](/platform-administration/configure-system-settings/#configure-cvss-score-version). If a package has a known vulnerability at or above this threshold, the configured policy action is applied.

* **Restricted licenses**: You can define a list of SPDX licenses that your organization considers restricted. If a package version matches one of these licenses, Endor Labs applies the configured policy action, helping enforce legal and open-source compliance at install time.

* **Minimum package age**: Set a minimum number of hours that must pass after a version is published before it is considered safe. If a version is newer than this threshold, Endor Labs applies the configured policy action, mitigating risk from newly released packages.

Endor Labs records every package installation request together with the action taken. See [View Package Firewall logs](/package-firewall/logs) to learn more.

<Note>
  **License requirement**

  Ensure that you have the **Package Firewall** license to configure the policy. See [Licenses](/introduction/licenses) for more information.
</Note>

## Configure the policy

You can configure the Package Firewall policy to block or warn installations based on malware detection, exceptions, vulnerabilities, restricted licenses, and minimum package age conditions. The Package Firewall evaluates each package against the policy in the following order: **Exceptions → Malware → Vulnerability → Restricted License → Minimum Package Age**. If a package is listed as an exception, all checks are skipped.

If a check matches and the action is **Warn**, the event is logged and the evaluation continues. If the action is **Block**, the installation is blocked and all checks are skipped.

Before configuring the policy, set up a Package Firewall integration in your namespace. See [Package Firewall](/package-firewall/) for setup instructions.

1. Select **User menu** > **Policies & Rules** from the left sidebar.
2. Select **Package Firewall Policies**.

### Configure malware detection

Set the action the Package Firewall takes when it detects malware in a package.

1. Select **Malware**.
2. Choose to **Block** or **Warn** if the package is flagged as malicious.
3. Click **Save**.

### Set a minimum package age

Block or warn package installations when a version was published more recently than a threshold you define.

1. Select **Minimum Package Age**.
2. Enter the number of hours that must pass after a version is published before it can be installed in **Minimum package age in hours**.
3. Choose to **Block** or **Warn** if the condition is met.
4. Click **Save**.

### Restrict licenses

Define the SPDX licenses your organization considers restricted and how the Package Firewall responds when a restricted license is detected. Restricted license enforcement does not apply to the Go ecosystem.

1. Select **Restricted License**.
2. Click **Add Licenses**.
3. Search for and select the licenses you want to restrict. You can search by the SPDX name or identifier of the license.
4. If you don't find the licenses you are looking for, enter a comma separated list of licenses in **Add custom licenses**.
5. Click **Add & select**.
6. Click **Save**.
7. Choose to **Block** or **Warn** if the condition is met.
8. Click **Save**.

<img src="https://mintcdn.com/endorlabs-b4795f4f/Cq2jQsQZUU2aI4dH/images/package-firewall/restricted-licenses.webp?fit=max&auto=format&n=Cq2jQsQZUU2aI4dH&q=85&s=8237ac952101f6097f61e79d736f748f" alt="Restricted licenses" width="692" height="939" data-path="images/package-firewall/restricted-licenses.webp" />

### Set a vulnerability threshold

Block or warn package installations that have vulnerabilities at or above a CVSS severity threshold.

1. Select **Vulnerability**.
2. Choose **High** or **High & Critical** in **Select CVSS severity**. Choose **Do nothing** to skip the vulnerability check.
3. Choose to **Block** or **Warn** if the condition is met.
4. Click **Save**.

### Add exceptions

Add packages that bypass the Package Firewall entirely, skipping all malware, license, vulnerability, and minimum-age checks for those installations.

1. Select **Exceptions**.

2. Click **Add package exceptions**.

3. Choose the **Ecosystem**.

4. Enter the **Package name**.

5. Optionally, turn on **Specify versions** and apply the exception to specific versions. If you leave this off, all versions of the package bypass the Package Firewall.

   * To exclude a specific version, choose **Exact version** and enter the version to exclude.
   * To exclude a range of package versions, choose **Version range** and enter the lower and upper bounds. The lower bound is inclusive, and the upper bound is exclusive. For example, a range of `1.1.3` to `3.0.0` matches version `1.1.3`, but not `3.0.0`.

   Click **+** to add a row for each additional version or range you want to exclude for that package.

   <img src="https://mintcdn.com/endorlabs-b4795f4f/Cq2jQsQZUU2aI4dH/images/package-firewall/exceptions.webp?fit=max&auto=format&n=Cq2jQsQZUU2aI4dH&q=85&s=f8aa749fb89068c506e05f884ff23f4a" alt="Add exceptions" width="695" height="521" data-path="images/package-firewall/exceptions.webp" />

6. Click **Save**.

7. Optionally, click **Add more** to add exceptions for other packages.

To update an exception:

1. Click the vertical three dots and select **Edit**. You can update the package manager, package name, and versions.
2. Click **Save** or **Update**

To delete an exception, click the vertical three dots and select **Delete**.
