Skip to main content
Package Firewall proxies package installations between your private registry and the public package indexes, evaluating each request in real time before download. Use a policy to control which installations are blocked or allowed. For packages that fail the policy, you can either block the download or allow it and record a warning in Package Firewall logs. Configure the Package Firewall policy to either block a package installation, or allow it and record a warning in Package Firewall logs.
  • Block: Prevents the package installation and returns an error. Select this action when you want to ensure the package never reaches your environment.
  • Warn: Allows the package installation and logs it as a warning event. Select this action when you want visibility without risking build interruptions.
Endor Labs blocks or warns package installations based on the conditions you configure in the policy.
  • Exceptions: Specify packages to exclude from enforcement. When a package matches an exception, Package Firewall skips all checks and allows the installation. Exceptions override other conditions such as restricted licenses and minimum package age, making them useful for approved packages that must remain available for critical builds and package installation workflows. You can define exceptions for a single version, multiple versions, or a version range. For version ranges, the lower bound is inclusive and the upper bound is exclusive. If you do not configure version limits, the exception applies to every version of that package for the selected ecosystem. Exceptions apply only to the packages explicitly listed and do not cover transitive dependencies. If a transitive dependency is flagged, it is blocked even if the parent package has an exception. Add that package as a separate exception to allow its installation.
  • Vulnerabilities: Set a CVSS severity threshold. Endor Labs uses CVSS 3.x by default and evaluates vulnerability severity using that version. You can change the CVSS version for your namespace in System Settings. If a package has a known vulnerability at or above this threshold, the configured policy action is applied.
  • Restricted licenses: You can define a list of SPDX licenses that your organization considers restricted. If a package version matches one of these licenses, Endor Labs applies the configured policy action, helping enforce legal and open-source compliance at install time.
  • Minimum package age: Set a minimum number of hours that must pass after a version is published before it is considered safe. If a version is newer than this threshold, Endor Labs applies the configured policy action, mitigating risk from newly released packages.
Endor Labs records every package installation request together with the action taken. See View Package Firewall logs to learn more.
License requirementEnsure that you have the Package Firewall license to configure the policy. See Licenses for more information.

Configure the policy

You can configure the Package Firewall policy to block or warn installations based on malware detection, exceptions, vulnerabilities, restricted licenses, and minimum package age conditions. The Package Firewall evaluates each package against the policy in the following order: Exceptions → Malware → Vulnerability → Restricted License → Minimum Package Age. If a package is listed as an exception, all checks are skipped. If a check matches and the action is Warn, the event is logged and the evaluation continues. If the action is Block, the installation is blocked and all checks are skipped. Before configuring the policy, set up a Package Firewall integration in your namespace. See Package Firewall for setup instructions.
  1. Select User menu > Policies & Rules from the left sidebar.
  2. Select Package Firewall Policies.

Configure malware detection

Set the action the Package Firewall takes when it detects malware in a package.
  1. Select Malware.
  2. Choose to Block or Warn if the package is flagged as malicious.
  3. Click Save.

Set a minimum package age

Block or warn package installations when a version was published more recently than a threshold you define.
  1. Select Minimum Package Age.
  2. Enter the number of hours that must pass after a version is published before it can be installed in Minimum package age in hours.
  3. Choose to Block or Warn if the condition is met.
  4. Click Save.

Restrict licenses

Define the SPDX licenses your organization considers restricted and how the Package Firewall responds when a restricted license is detected. Restricted license enforcement does not apply to the Go ecosystem.
  1. Select Restricted License.
  2. Click Add Licenses.
  3. Search for and select the licenses you want to restrict. You can search by the SPDX name or identifier of the license.
  4. If you don’t find the licenses you are looking for, enter a comma separated list of licenses in Add custom licenses.
  5. Click Add & select.
  6. Click Save.
  7. Choose to Block or Warn if the condition is met.
  8. Click Save.
Restricted licenses

Set a vulnerability threshold

Block or warn package installations that have vulnerabilities at or above a CVSS severity threshold.
  1. Select Vulnerability.
  2. Choose High or High & Critical in Select CVSS severity. Choose Do nothing to skip the vulnerability check.
  3. Choose to Block or Warn if the condition is met.
  4. Click Save.

Add exceptions

Add packages that bypass the Package Firewall entirely, skipping all malware, license, vulnerability, and minimum-age checks for those installations.
  1. Select Exceptions.
  2. Click Add package exceptions.
  3. Choose the Ecosystem.
  4. Enter the Package name.
  5. Optionally, turn on Specify versions and apply the exception to specific versions. If you leave this off, all versions of the package bypass the Package Firewall.
    • To exclude a specific version, choose Exact version and enter the version to exclude.
    • To exclude a range of package versions, choose Version range and enter the lower and upper bounds. The lower bound is inclusive, and the upper bound is exclusive. For example, a range of 1.1.3 to 3.0.0 matches version 1.1.3, but not 3.0.0.
    Click + to add a row for each additional version or range you want to exclude for that package. Add exceptions
  6. Click Save.
  7. Optionally, click Add more to add exceptions for other packages.
To update an exception:
  1. Click the vertical three dots and select Edit. You can update the package manager, package name, and versions.
  2. Click Save or Update
To delete an exception, click the vertical three dots and select Delete.