REFERENCE INFORMATION

Varnish Artifact Firewall

Artifact traffic control, providing runtime enforcement of security policies by rewriting registry manifests and evaluating artifact requests in-flight.

Introducing Artifact Firewall

Artifact Firewall sits between your build systems and your registries (npm, PyPI, Artifactory) to intercept and sanitize traffic before it enters your environment.

  • Block malicious packages before they reach build pipelines
  • Prevent dependency confusion attacks
  • Automatically hide unsafe dependency versions
  • Control artifact traffic across distributed environment

A Run-time Proxy for Dependency Governance

Security-as-Code (YAML)

Manage dependency governance using GitOps. Rulesets are declarative and can be updated globally via a git repositories without service interruption.

# Example Production Policy id: prod-cve-shield rules: - id: block-known-malware priority: 5000 action: deny match: - purl: pkg:npm/malicious-pkg@>=2.0.0 - id: force-modern-baseline action: hide match: - type: npm name: "internal-lib" version: "vers:npm/<1.5.0" # Prevents "latest" from resolving to legacy versions

Core Enforcement Capabilities:

  • Hide: Updates the latest version of the in the manifest. Hidden versions are invisible to standard resolution but still downloadable if explicitly pinned, ensuring "latest" is always safe.
  • Deny: Hard-blocks requests with a 403 Access Denied for specific PURLs.
  • Namespace Protection: Uses glob-based selectors to prevent dependency confusion attacks by ensuring internal names only resolve to trusted sources.

Observability & Integration

Designed for SREs and Platform Teams, the firewall provides native hooks into the modern cloud-native stack:

  • Prometheus Metrics: Native export of firewall_requests_total, firewall_manifest_duration_seconds, and firewall_rules_loaded.
  • JSON Audit Logs: Machine-readable logs containing the rule_id, purl, and action for every request.
  • Webhook Notifications: Triggers an HTTP request upon successful ruleset reloads to ensure cache consistency.

Artifact Firewall Core Security Capabilities

Artifact Firewall enforces security policies at the moment dependencies are requested, preventing unsafe packages from entering build pipelines.

Capabilities

Time-Gated Release Protection

New package versions can be quarantined for a configurable period before becoming the default “latest,” reducing exposure to newly introduced vulnerabilities.

Intelligent Manifest Rewriting

Package manifests are inspected and modified in real time to guide package managers toward safe versions without breaking developer workflows.

Universal Policy Framework (PURL)

Policies use the industry-standard Package URL (PURL) format to match packages consistently across ecosystems such as npm, PyPI, Maven, and others.

Granular Version Blocking

Block vulnerable version ranges using semantic version rules, preventing known unsafe packages from entering builds.

Namespace Protection

Prevents dependency confusion attacks by ensuring internal package namespaces resolve only to trusted sources.

Automated Vulnerability Updates (OSV)

Rules can automatically incorporate vulnerability data from the OSV database, keeping protection continuously up to date.

GitOps Policy Management

Security policies are managed declaratively through Git repositories and can be applied selectively to different virtual registries.

Full Audit Trail

Every package request generates structured logs for traceability, compliance, and incident response.

Client Cache Control

Custom cache headers prevent developers from using outdated or insecure locally cached artifacts.

Last updated 22 April 2026