Release Integrity Best Practices

Release Integrity  

Release Integrity is a collection of features in Repository Firewall that protect you from harmful new components. The features that make up Release Integrity are:

  • Suspicious and Malicious Protection - Our machine learning systems identify suspicious and malicious new releases. Repository Firewall blocks these dangerous releases by default

  • Automatic Quarantine Release - Firewall will release components from quarantine that have no failing policy violations

  • Policy Compliant Component Selection - When a project allows for several versions of a dependency, your repository manager will deliver the most recent version with no failing policy violations. This keeps new versions from breaking your builds or disrupting development.

Release Integrity keeps your builds and development environments safe and reduces the amount of time you need to spend on assessing new components.

Defaults for Release Integrity

Repository has the following Release Integrity features active:

  • Block Suspicious and Malicious New Release

  • Automatically release suspicious components deemed safe by the Sonatype Research team (assuming it has no other failing violations).

Integrity Rating Policy Default settings

Automatic Quarantine Release Default Settings

Best Practices

To get the most protection from our Release Integrity features, we recommend the following best practices: 

Block Unknown Components 

The default Reference Policies include a policy called component-unknown. This creates violations for components not already identified by Sonatype Intelligence. Components from public repositories are usually in an Unknown Match State for less than 5 minutes. This creates a narrow window where dangerous components could enter your system. Setting the proxy stage to Fail for Unknown Components ensures Sonatype Intelligence assesses every component you download.

To set the Proxy Stage to Fail:

  1. Log in to Repository
  2. Select Orgs and Policies
  3. Select the Root Organization
  4. Select the Component-Unknown Policy

    Component Unknown Policy set to fail at proxy stage
  5. Click Fail at the Proxy stage
  6. Save

To Block Unknown Components for Specific Formats

Beginning in IQ136, there is a new policy constraint condition called Format. This constraint allows you to only block unknown components in ecosystems with Release Integrity. Presently, this is npm, Maven, & PyPi. 

  1. Login to Repository
  2. Select Orgs and Policies
  3. Select the Root Organization
  4. Create a policy to block Unknown Components from PyPi and npm 
    Correctly Configured Format Specific unknown component blocking policy
    1. Select Create Policy
    2. Add the following constraints:
      • Format is npm
      • Add the constraint "Format is PyPi"
      • Set the  dropdown is set to "ANY of the following are true"
    3. Add a violation condition if all the following are true:
      • Match State is Unknown
      • Proprietary is False
      • Data Source has support for Identity
        • This constraint limits this policy to formats where Sonatype Intelligence identifies the components in the ecosystem. This prevents unknown components from 3rd parties not known to Sonatype Intelligence from being impacted by this policy. 
  5. Save policy

Enable Automatic Release 

Only available for Nexus Repository 3 Pro

Automatically releasing components from quarantine keeps your environment running smoothly and reduces the effort you need to spend managing components. We recommend allowing Automatic Release from Quarantine for Integrity Rating Policy Condition type and match state at a minimum. 

To enable Automatic Release From Quarantine: 

  1. Log in to Repository
  2. Select Repository Firewall from the sidebar
  3. Select Configure on the Auto Release from Quarantine Status card
  4. Integrity Rating should be enabled by default. If it is disabled, enable it. 
  5. Enable Match State and any other policy type that suits your organization.
  6. Click Save Changes

Enable Policy Compliant Component Selection

Only available for npm.

Policy Compliant component selection will deliver policy compliant dependencies when the most recent requested version would be quarantined. This minimizes any disruption from risky components. We recommend enabling this feature. Check out the documentation and best practices to learn more: