Release Integrity Best Practices
Release Integrity
Release Integrity is a collection of features in Repository Firewall that protect you from harmful new components. The features that make up Release Integrity are:
Suspicious and Malicious Protection - Our machine learning systems identify suspicious and malicious new releases. Repository Firewall blocks these dangerous releases by default
Automatic Quarantine Release - Firewall will release components from quarantine that have no failing policy violations
Policy Compliant Component Selection - When a project allows for several versions of a dependency, your repository manager will deliver the most recent version with no failing policy violations. This keeps new versions from breaking your builds or disrupting development.
Release Integrity keeps your builds and development environments safe and reduces the amount of time you need to spend on assessing new components.
Defaults for Release Integrity
Repository has the following Release Integrity features active:
Block Suspicious and Malicious New Release
Automatically release suspicious components deemed safe by the Sonatype Research team (assuming it has no other failing violations).
Best Practices
To get the most protection from our Release Integrity features, we recommend the following best practices:
Block Unknown Components
The default Reference Policies include a policy called component-unknown. This creates violations for components not already identified by Sonatype Intelligence. Components from public repositories are usually in an Unknown Match State for less than 5 minutes. This creates a narrow window where dangerous components could enter your system. Setting the proxy stage to Fail for Unknown Components ensures Sonatype Intelligence assesses every component you download.
To set the Proxy Stage to Fail:
- Log in to Repository
- Select Orgs and Policies
- Select the Root Organization
- Select the Component-Unknown Policy
- Click Fail at the Proxy stage
- Save
To Block Unknown Components for Specific Formats
Beginning in IQ136, there is a new policy constraint condition called Format. This constraint allows you to only block unknown components in ecosystems with Release Integrity. Presently, this is npm, Maven, & PyPi.
- Login to Repository
- Select Orgs and Policies
- Select the Root Organization
- Create a policy to block Unknown Components from PyPi and npm
- Select Create Policy
- Add the following constraints:
- Format is npm
- Add the constraint "Format is PyPi"
- Set the dropdown is set to "ANY of the following are true"
- Add a violation condition if all the following are true:
- Match State is Unknown
- Proprietary is False
- Data Source has support for Identity
- This constraint limits this policy to formats where Sonatype Intelligence identifies the components in the ecosystem. This prevents unknown components from 3rd parties not known to Sonatype Intelligence from being impacted by this policy.
- Save policy
Enable Automatic Release
Only available for Nexus Repository 3 Pro
Automatically releasing components from quarantine keeps your environment running smoothly and reduces the effort you need to spend managing components. We recommend allowing Automatic Release from Quarantine for Integrity Rating Policy Condition type and match state at a minimum.
To enable Automatic Release From Quarantine:
- Log in to Repository
- Select Repository Firewall from the sidebar
- Select Configure on the Auto Release from Quarantine Status card
- Integrity Rating should be enabled by default. If it is disabled, enable it.
- Enable Match State and any other policy type that suits your organization.
- Click Save Changes
Enable Policy Compliant Component Selection
Only available for npm.
Policy Compliant component selection will deliver policy compliant dependencies when the most recent requested version would be quarantined. This minimizes any disruption from risky components. We recommend enabling this feature. Check out the documentation and best practices to learn more: