Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt

Use this file to discover all available pages before exploring further.

The Package Firewall proxies package installations between your private registry and the public package indexes, evaluating each request in real time before download. Use a Package Firewall policy to control which installations are blocked or allowed. For packages that fail the policy, you can either block the download or allow it and record a warning in Package Firewall logs. Configure the Package Firewall policy to either block a package installation, or allow it and record a warning in Package Firewall logs.
  • Block: Prevents the package installation and returns an error. Select this action when you want to ensure the package never reaches your environment.
  • Warn: Allows the package installation and logs it as a warning event. Select this action when you want visibility without risking build interruptions.
Endor Labs blocks or warns package installations based on the conditions you configure in the policy.
  • Exceptions: Specify packages to exclude from enforcement. When a package matches an exception, the Package Firewall skips all checks and allows the installation. Exceptions override other conditions such as restricted licenses and minimum package age. You can define exceptions for a single version, multiple versions, or a version range. For version range, the lower bound is inclusive, and the upper bound is exclusive. If you do not configure version limits, the exception applies to every version of that package for the selected ecosystem. Exceptions apply only to the packages explicitly listed and do not cover transitive dependencies. If a transitive dependency is flagged, it is blocked even if the parent package has an exception. Add that package as a separate exception to allow its installation.
  • Restricted licenses: You can define a list of SPDX licenses that your organization considers restricted. If a package version matches one of these licenses, Endor Labs applies the configured policy action, helping enforce legal and open-source compliance at install time.
  • Minimum package age: Set a minimum number of hours that must pass after a version is published before it is considered safe. If a version is newer than this threshold, Endor Labs applies the configured policy action, mitigating risk from newly released packages.
Endor Labs records every package installation request together with the action taken. See Package Firewall logs to learn more.

Configure the policy

You can configure the Package Firewall policy to block or warn installations based on malware detection, exceptions, restricted licenses, and minimum package age conditions. The Package Firewall evaluates each package against the policy in the following order: Exceptions → Malware → Restricted License → Minimum Package Age. If a package is listed as an exception, all remaining checks are skipped. If a check matches and the action is Warn, the event is logged and the evaluation continues. If the action is Block, the installation is blocked and the remaining checks do not run. Before configuring the policy, set up a Package Firewall integration in your namespace. See Package Firewall for setup instructions.
  1. Select Policies & Rules from the left sidebar.
  2. Select Package Firewall Policies.
  3. Under Malware, choose Block or Warn if malware is detected in the package.
  4. Under Restricted licenses, search for and add the licenses you want to restrict. You can search by the SPDX name or identifier of the license. Choose Block or Warn when a package version declares one of the specified licenses.
  5. Under Minimum package age, enter the minimum number of hours that must have passed since a package version was published before it can be installed. Choose Block or Warn when a version is newer than the specified threshold.
  6. Click Add Exceptions to add packages that bypass the Package Firewall entirely, skipping all malware, license, and minimum-age checks for those installations.
  7. Select the Package manager.
  8. Enter the exact package name.
  9. Optionally, toggle on Specific versions for the package, else all versions of the package bypass the Package Firewall and are installed without checks.
    • Select Exact version and enter the version to exclude from the Package Firewall.
    • Select Version range and enter the lower and upper bounds to exclude from the Package Firewall. The lower bound is inclusive, and the upper bound is exclusive. For example, a range of 1.1.3 to 3.0.0 matches version 1.1.3, but not 3.0.0.
    Select the plus icon to add more exceptions.
  10. Click Save to save the exceptions. To update an exception, click the vertical three dots and select Edit. You can update the versions, package name, and package manager. To delete an exception, click the vertical three dots and select Delete.
  11. Click Save to save the policy.