Skip to main content

Sonatype Repository Firewall

Sonatype Repository Firewall is the first line of defense for controlling the open-source components allowed into your Software Development Lifecycle.

  • Prevent Malicious Components - from entering your software supply chain

  • Automatically Evaluate - every new component against your custom governance policies

  • Automatically Quarantine - components before they are available in your artifact repository

Sonatype's IQ Server powers the Repository Firewall. The integration connects to your artifact repository to oversee the enforcement of your open-source consumption policies.

See License and Features to learn about our solutions.

Paths to Getting Started

The Repository Firewall license is available as a fully managed Cloud solution or a self-hosted deployment where you manage the service.

  • Firewall Cloud

    Firewall Cloud reduces time-to-value by skipping the time needed to provision hardware and the costs of managing the self-hosted service. Only one quick step set up your tenant and IdP (identity provider) before jumping into protecting your infrastructure.

    Getting started with Sonatype Cloud

  • Self-Hosted

    The Self-Hosted solution deploys as you want; as a single-node or a multi-regional, highly available service without restrictions. Built on the same platform as Lifecycle and SBOM Manager to scale with your organizational requirements.

    Getting Started with Repository Firewall

What's New

View the latest changes and updates in the Release Notes

Download the latest version from Download and Compatibility.

Repository Firewall Product Information

Sonatype Repository Firewall requires an IQ Server and an artifact repository. Next-Gen Firewall is compatible with Sonatype Nexus Repository 3 Pro and JFrog Artifactory.

  • Recommended IQ Server 134 or later

    • Firewall Cloud is updated automatically

    • Nexus Repository Pro requires a minimum version of 114

    • The JFrog Artifactory plugin requires a minimum version of 119

  • Nexus Repository Pro 3.38.1+ (latest version is recommended)

    • The Repository Firewall solution is included in the Nexus Repository and IQ Server codebase

  • JFrog Artifactory 7.2.6+

    • including the latest version of the Repository Firewall for the JFrog Artifactory plugin

    • JFrog Artifactory SaaS is not supported

Next-Gen Firewall Features

Repository Firewall prevents modern software supply chain attacks and improves developer experience. Classic Firewall has entered extended maintenance and will be sunsetted in the coming months. Customers should speak with their account team to upgrade to Next-Gen Firewall.

Licenses issued after June 1, 2021, apply to the Next-Gen Repository Firewall. Renewals are required to upgrade to the new version. The left navigation sidebar of the UI has the Firewall menu option indicating that you are licensed for the Next-Gen Repository Firewall.

Classic (C) Firewall

Self-Hosted and Sonatype Cloud

Features

Sonatype Nexus Repository 2

Sonatype Nexus Repository 3

JFrog Artifactory

Firewall Quarantine

Confirmed

Confirmed

Confirmed

Namespace Confusion Protection

Confirmed

Confirmed

Confirmed

Release Integrity

Available for npm, Maven, & PyPI

Confirmed

Confirmed

Automatic Quarantine Release

Confirmed

Confirmed

Policy Compliant Component Selection

Confirmed

Confirmed

PCCS for npm

IQ.134, NX-3.44

plugin 2.4.4

PCCS for PyPI

IQ.167, NX-3.61

Package Support for Repository Firewall

The following ecosystems and URLs are examples of supported package repositories for the Repository Firewall. This is not a comprehensive list of sources for Sonatype Component Intelligence.

Package Manager

Public Repository

CocoaPods

https://cdn.cocoapods.org

Composer

https://packagist.org

Conan

https://center.conan.io

Conda

https://repo.anaconda.com/pkgs

Go Modules

https://index.golang.org

(detection of pre-release versions is not supported)

Maven

https://repo.maven.apache.org/maven2

https://maven.google.com

https://maven.repository.redhat.com/ga/

npm

https://registry.npmjs.org

NuGet

https://nuget.org

PyPI

https://pypi.org

RubyGems

https://rubygems.org

Rust/Cargo

https://index.crates.io

R Language

https://cran.r-project.org

Yum/rpm (EPEL)

https://dl.fedoraproject.org

Sonatype Repository Firewall does not support Docker images

The Sonatype Repository Firewall does not support blocking images from being downloaded from proxy repositories such as Docker Hub or any container format repository. Use the Sonatype Lifecycle solution to analyze images for open-source packages or the Sonatype Container solution to enforce your policy in production environments.

See the Sonatype Lifecycle Docker Image analysis or Sonatype Container Security for details.