Skip to main content

Release Integrity

New releases of open-source components introduce high risk to your build pipeline as they may hide malware, critical security vulnerabilities, or unapproved licenses.

Release Integrity is a collection of features in the Repository Firewall and Lifecycle that protect you from intentionally harmful components.

Suspicious and Malicious Protection

  • Machine Learning (ML) system for identifying potentially malicious new releases

  • Repository Firewall blocks dangerous releases by default

  • Protect your build pipeline from software supply chain attacks

Automatic Quarantine Release

  • Firewall automatically releases components from quarantine that no longer have failing violations

  • Automatically release suspicious components deemed safe by the Sonatype Research team

  • Reduce costs of assessing components coming into your build environment

Policy Compliant Component Selection

  • Configure your repository manager to only deliver versions without failing policy violations

  • This keeps new versions from breaking your builds or disrupting development

Release Integrity

When a new component or version is published, Sonatype’s AI and Machine Learning tools analyze the release and flag any component with an unusual release behavior. Releases that seem ordinary are assigned a release integrity of Normal while components flagged by our AI tools are sent to the Sonatype Research team for further review. During the review components are assigned a Suspicious Integrity Rating. Components with dangerous behavior are labeled Malicious and left in quarantine. Normal components have their Suspicious Integrity Rating changed to Normal.


When the Repository Firewall license is installed, an Integrity-Rating policy is automatically created. This operation will only occur once, even if the license is installed again. The Integrity-Rating policy is configured to guard against malicious components.

This feature is designed to be used along with Repository Firewall's Automatic Quarantine Release to allow components re-assigned a normal integrity rating to be released without intervention by security teams.

Enable Automatic Release

Automatically releasing components from quarantine keeps your environment running smoothly and reduces the effort you need to spend managing components. We recommend allowing Automatic Release for Integrity Rating Policy Condition type and match state at a minimum.

See Automatic Quarantine Release

Integrity-Rating Policy

The Integrity-Rating Policy looks at a component's Release Integrity Score and creates violations for components with Pending or Suspicious values. These statuses are given to new components when Sonatype's machine-learning tools find anything suspicious or unusual in the release.

Release Integrity Score



  • The component is unknown to Sonatype's identity system

  • New components from public ecosystems are logged in minutes and queued for review


  • The component has been logged with Sonatype's Integrity Rating ML system for review


  • Signals from the component release indicate a threat

  • Validation is prioritized by Sonatype's data security team


  • The component has been assessed and appears normal

Not Applicable

  • This component is not covered by the Integrity Rating system 


The Security-Malicious policy is triggered when a component is found to be malicious.  This information is from the Security Vulnerability Category and is labeled Malicious Code.

The policy constraint, Security Vulnerability Category is used to target Malicious Code
Screenshot of Integrity Rating Policy

Testing the Integrity Rating Policy

The Sonatype data team maintains example npmmaven, and python projects to use with testing the Integrity Rating policy with the Repository Firewall.

npm Version

Integrity Rating

"@sonatype/policy-demo" : "2.0.0"


"@sonatype/policy-demo" : "2.1.0"

Suspicious; malicious Security Vulnerability Category

"@sonatype/policy-demo" : "2.2.0"


"@sonatype/policy-demo" : "2.3.0"


Maven Version

Integrity Rating




Suspicious; malicious Security Vulnerability Category





Python Version

Integrity Rating




Suspicious; malicious Security Vulnerability Category