Skip to main content

Shadow Download Best Practices

Nexus Repository is the system of record (SOR) for third-party software, open-source components, and built artifacts for your organization. Shadow downloads are third-party or open-source components retrieved directly from public repositories that bypasses Nexus Repository. These components add risk by allowing in dependencies to ryou build pipeline without review and visibility; preventing your organization from centrally managing your artifacts.

To mitigate shadow downloads, consider the following recommendations.

  • Builds only retrieve components from Nexus Repository

    Forcing builds only to use components currently cached in your Nexus Repository will act as a fail-safe to ensure that no new components are added to your projects without prior evaluation. This can be achieved by applying policies to incoming components with Sonatype Repository Firewall.

  • Require all developers to use Sonatype Nexus Repository

    Developers should all be required to retrieve components through your Nexus Repository instance. If it’s possible for your organization, the remote repository location should be locked to Nexus Repository for all corporate machines.

  • Block direct downloads from the public repositories within your corporate network

    Only authorized sources, such as a centrally managed Sonatype Nexus Repository should be given access to download component libraries.

  • Control package managers with a managed device management (MDM) solution

    The MDM allow organizations to ensure all company laptops use package manager configurations pointing to a Sonatype Nexus Repository. Use this type of software to lock configuration files or receive notifications if these settings are changed.

  • New component or repository request process

    Create an internal process allowing development teams to request content from public repositories that is not currently available through approved means. Once approved these components can be stored in designated repositories within your repository manager.

  • Enable Repository Health Check

    Repository Health check will identify open-source security risks in your proxy repositories. Enabling this feature will let you monitor your components for potential security risks. Regularly checking the Repository health check can alert you to new components that bypass your normal ingress processes.

  • Enable the Release Integrity and malicious protection

    While shadow downloads bypass the Sonatype Nexus Repository, the Sonatype Firewall will act as a last line of defense as long as the build systems still go through your repositories