Artifact Firewall

Real Time Artifact Security

Stop malicious dependencies before they reach your build pipelines

Talk to Our Team
Start My Trial

Real-time Software Supply Chain Governance

What is Artifact Firewall?

Artifact Firewall is a dedicated infrastructure layer for artifact traffic control. It protects your software supply chain by controlling how dependencies move through your infrastructure.

Artifact Firewall governs every dependency request, from developers and CI/CD pipelines to Kubernetes clusters and AI environments, before the artifact is delivered.

By intercepting traffic in real time, Artifact Firewall helps you:

  • Prevent Supply Chain Attacks: Block malicious packages and dependency confusion exploits at the point of entry.

  • Enforce Intelligent Governance: Automatically hide unsafe versions by resolving "latest" to only approved releases.

  • Govern Distributed Environments: Control how dependencies move across global clusters and high-performance GPU environments.

Block Malicious or Vulnerable Dependencies

A Transparent Proxy for Dependency Governance

Security-as-Code (YAML)

Manage dependency governance using GitOps. Rulesets are declarative and can be updated globally via a Git repository without service interruption.

 

firewall:
  rulesets:
    - git:
        name: pypi-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/pypi/all.yaml
        interval: 1h
    - git:
        name: npm-osv-rules
        url: https://github.com/varnish/osv-rules
        ref: main
        sub_path: rulesets/npm/all.yaml
        interval: 1h
Core Enforcement Capabilities
  • Hide: Updates the latest version in the manifest. Hidden versions are invisible to standard resolution but still downloadable if explicitly pinned--ensuring "latest" is always safe.
  • Deny: Hard-blocks requests with a 403 Access Denied for specific PURLS. 
  • Namespace Protection: Uses glob-based selectors to prevent dependency confusion attacks by ensuring internal names only resolve to trusted sources.
Observability and Integration

Designed for SREs and Platform Teams, the firewall provides native hooks into the modern cloud-native stack.

  • Prometheus Metrics: Native export of firewall_requests_total, firewall_manifest_duration_seconds, and firewall_rules_loaded.
  • JSON Audit Logs: Machine-readable logs containing the rule_id, purl, and action for every request.
  • Webhook Notifications: Triggers an HTTP request upon successful ruleset reloads to ensure cache consistency. 

Core Security Capabilities

Artifact Governance at the Edge

Artifact Firewall moves policy to the front of the line. As a transparent proxy, it governs dependencies as they are pulled.

 

Traditional Scanners Artifact Firewall
Post-facto Analysis

Analyzes build output after the process is complete, creating a lag between infection and detection.

 In-line Governance

Governs the build process as a transparent proxy, moving policy to the front of the line.
Reactive Detection

Identifies malicious code or vulnerabilities only after they have already been ingested.

 Real-time Prevention

Blocks threats in real time at the point of entry, preventing malicious dependencies from ever entering.
Limited Perspective

Visibility is restricted to final artifacts, often missing the context of the fetch process.

 Total Visibility

Sees and validates every package as it is fetched, ensuring total governance over dependencies.

Start My Trial

Vulnerability-Aware Enforcement

Artifact Firewall evaluates every package request in real time using vulnerability intelligence from sources such as OSV, as well as internal or third-party feeds. 

Requests are normalized into PURLs, enabling lookups against known vulnerabilities and enforcement based on configurable severity thresholds. Policies can deny, hide, warn, or allow packages, and are applied at request time alongside existing rulesets and manifest rewriting.

This ensures vulnerable packages are automatically excluded from manifests and blocked from builds—without disrupting developer workflows.

Example using PURL to deny log4j access:

 

rules:
- id: "log4j"
  action: deny
  reason: "Block vulnerable Log4j versions (Log4Shell)"
  match:
  - purl: "pkg:maven/org.apache.logging.log4j/log4j-core"
    version: "vers:maven/<=2.17.0"

GET /maven2/org/apache/logging/log4j/log4j-core/2.17.0/log4j-core-2.17.0.jar # MATCH
GET /maven2/org/apache/logging/log4j/log4j-core/2.16.9/log4j-core-2.16.9.jar # MATCH
OSV Rules for Varnish Artifact Firewall

Works With Existing Infrastructure

Infrastructure Control
Designed for Kubernetes and AI

Modern infrastructure distributes dependency traffic across global CI pipelines, Kubernetes clusters, and GPU-based AI training environments.

 Runtime Policy Consistency

Artifact Firewall ensures consistent policy enforcement across distributed systems by evaluating artifact requests in real time at the point of pull.
Universal Compatibility
Works With Existing Tools

Artifact Firewall operates as a governance layer in front of JFrog Artifactory, Sonatype Nexus, npm, PyPI, and OCI registries without requiring infrastructure redesign.

 Environment-Specific Policy

When used with Varnish Virtual Registry, apply strict policies to production pipelines while maintaining flexible access for development teams.
Supported Ecosystems
npm & PyPI

Full support at launch.

 PURL Standard

Precise package identity.

 VERS Spec

Consistent version logic.

Accelerate Runtime Governance Today

Govern dependency traffic at runtime. Prevent malicious packages from entering your pipelines without sacrificing developer velocity.

Talk to an Expert
Schedule a Demo

Request a free trial