Shadow Download Best Practices

Forcing builds only to use components currently cached in your Nexus Repository will act as a fail-safe to ensure that no new components are added to your projects without prior evaluation. This can be achieved by applying policies to incoming components with Sonatype Repository Firewall.

Developers should all be required to retrieve components through your Nexus Repository instance. If it’s possible for your organization, the remote repository location should be locked to Nexus Repository for all corporate machines.

Only authorized sources, such as a centrally managed Sonatype Nexus Repository should be given access to download component libraries.

The MDM will allow organizations to ensure all company laptops use package manager configurations pointing to a Sonatype Nexus Repository. It’s also possible to use this type of software to lock configuration files or receive notifications if these settings are changed.

Create an internal process allowing development teams to request content from public repositories that is not currently available through approved means. Once approved these components can be stored in designated repositories within your repository manager.

Repository Health check will identify open-source security risks in your proxy repositories. Enabling this feature will let you monitor your components for potential security risks. Regularly checking the Repository health check can alert you to new components that bypass your normal ingress processes.

While shadow downloads bypass the Sonatype Nexus Repository, the Sonatype Firewall will act as a last line of defense as long as the build systems still go through your repositories