Repository Firewall Best Practices

Repository Firewall should be used to stop new risks from being introduced into your repository

Blocking components your applications currently depend on will result in a poor experience with your development teams

Review the note below on cleaning up vulnerable components from your repository

Enforcement is managed by IQ Server policy however, the Capability must first be configured, enabled, and have the Quarantined option checked; for each proxy that will need Repository Firewall protection.

Repository Firewall will audit the existing components in the repository while only quarantining new components not used by existing applications.

Avoid deleting vulnerable components from your proxy repositories so that existing builds are not impacted.

Security-Malicious: components with known malicious intent

Security-Suspicious: components where Sonatype's Releases Integrate data team is reviewing potential threats

Security-Critical: vulnerabilities with a CVSS score of 9 or greater should be avoided as much as possible

License-Banned: license issues can pose financial risks to an organization

Only allow components entering your builds that have been identified and reviewed by Sonatype Intelligence

New components in public repositories are unknown for less than 5 minutes before they are identified

This creates a narrow window where dangerous components could enter your system

Components can be automatically released once identified

Allowing unknown components is a potential risk to your supply chain

Repository Firewall automates your repository security by automatically releasing components from quarantine

Enabling Automatic Quarantine Release reduces the effort of administrating the Repository Firewall and reduces developer friction

This feature reduces risk when your dependencies are coded to use the latest released version

Queries for the latest component version are only answered with the versions that are approved by your policy

This prevents newly released package versions from interrupting development if your application automatically downloads the newest version of an application

Developers need to know how and to whom to reach out to release a component from quarantine

When turning on enforcement, communicate to your developers what to do when components are quarantined

Quarantine messaging is easily overlooked when not prepared and can be frustrating to deal with when troubleshooting build failures

Firewall administrators are often not able to determine which build attempted to download for a quarantined component

Developer dependencies and frameworks typically do not end up in the final application, so the threshold of risk in their use is often lower

They also tend to be frequently and automatically updated which can cause them to be blocked by the Firewall more often when they have risk

To avoid frustrating your developers by having them frequently request waivers, you can scope waivers to include all versions of the component

This will accept the risk of a single violation for future versions of a component while still blocking new violations before they are reviewed

Repository Firewall works by identifying open-source from public repositories from our supported ecosystems

You will have many unknown components when configuring the Repository Firewall on unsupported proxies