Sonatype Firewall iconNEW! Block open source malware at the edge with Repository Firewall

Learn More
Skip Navigation
sonatype-firewall-logo-nav

Block malicious code with the most powerful open source policy engine

Intercept open source malware, unsafe AI models, and non-compliant components at the network edge and inside your development pipeline.

Enterprise-wide oss malware protection

Proactively detect and defend against open source malware across your software supply chain. Sonatype Repository Firewall is the only solution that enables you to block open source malware at the perimeter, before it enters your repository, and in your workflows.

Leveraging our powerful intelligence engine, Repository Firewall finds and blocks malware other solutions miss  —  including malware found in shadow downloads to protect your infrastructure from developers downloading components outside your repository.

A diagram showing Sonatype Repository Firewall protection at the edge, in the repository, and through workflow integrations (API).

 

logo-sonatype_white   +  logo-zcaler-reverse

Block malicious code at the edge

The power of Sonatype Repository Firewall just got better. You can now block open source malware and other malicious code at the edge with our new integration with Zscaler ZIA. 

PREVENT MALICIOUS CODE

Stop open source malware before it reaches your developers

Sonatype Repository Firewall view of all malicious components actively in quarantine.
Sonatype Repository Firewall defends your software supply chain from the start — automatically identifying and blocking malicious code, AI models, and containers before they can do harm. 

Detect and block malware at the network edge, in repositories, and across pipelines

Repository Firewall identifies and stops malicious components before they enter your SDLC no matter how they try to get in — whether a command line package request, Hugging Face model, or dependency added during a build.

Remove existing malicious code from repositories

Repository Firewall continuously scans repositories to uncover hidden or dormant threats introduced before malicious code prevention was in place and quarantines it to restore the integrity to your artifact stores.

Identify suspicious behavior using AI analysis

Repository Firewall monitors open source packages in major public registries and uses 60+ signals to block malicious packages before download for comprehensive open source malware prevention.

Unmatched malicious code prevention 

Ensure your team is working with the best available open source. Sonatype Repository Firewall stops open source risks others can’t see with the industry's most comprehensive intelligence engine, powered by years of research and real-time behavioral analysis across millions of components.

With over 800,000 malicious packages detected across npm, PyPI, Maven, and other registries, our open source malware intelligence engine leads the industry in both scale and depth.

It’s not just what we block — it’s what we know that sets us apart.

Sonatype Repository Firewall diagram showing where malicious components are quarantined prior to entering the repository.

 

Is there open source malware in your shadow downloads? 

Shadow downloads are often inevitable — but that doesn't mean you can't be protected. Learn how to adjust your security strategy to defend against open source malware.

GOVERN OPEN SOURCE POLICIES

Manage open source risks with the leading policy engine

Sonatype Repository Firewall dashboard showing number of components identified, violations, and quarantined components.
Sonatype Repository Firewall applies malware prevention and governance at the edge and tailored to each point in the SDLC so it never enters development. 

Apply broad protection to networks and pipelines

Block known malicious components at the edge and during CI with repository integrations for full open source policy enforcement including compliance, quarantine, remediation, and audit visibility.

Set Open Source Policy Based on Risk Tolerance

Decide which components and AI models are allowed into your repository based on risk factors like age, popularity, and licensing credentials.

PROTECT AGAINST THE UNKNOWN

Set open source policy to intercept suspicious components, even before they are publicly disclosed as vulnerable.

CONFIGURE AUTOMATIC COMPLIANCE

Prevent applications from moving forward with unwanted or unapproved components and AI models.

Increase security for Hugging Face AI models 

Sonatype Repository Firewall applies the same advanced malware prevention and policy enforcement logic to AI models as it does to open source packages — automatically blocking unsafe Hugging Face components before they reach development.

ACCELERATE DEVOPS PIPELINES

Secure development without slowing it down

Sonatype Repository Firewall dashboard showing component data insights.

Empower developers with transparent, automated malicious code prevention that fits naturally into fast-moving pipelines and modern environments.

Block downloads without impeding productivity

With our Zscaler ZIA plugin, developers stay protected from open source risks without needing to change how they work.

Integrate security into your CI/CD workflows

Automate security checks where you need them to identify open source malware using our standard API.

Eliminate remediation delays with proactive malware protection and clean inputs

By stopping issues before they enter development, teams avoid costly rework and accelerate release cycles.

“As open source vulnerabilities became increasingly problematic in recent years, particularly with Log4j, monitoring and enforcing software composition took on a greater sense of urgency. USPTO turned to Repository Firewall for the ability to block malicious packages from the start.”

Run products anywhere

Flexible deployment options let you run anywhere—without the operational hurdles. Deploy easily with world class support from our Technical Support team at no additional cost.

Cloud

Get started right away. Streamline your infrastructure and rapidly scale with cloud solutions hosted on AWS and managed by Sonatype.
Available for
Sonatype Firewall product logo icon Sonatype Lifecycle product logo icon

Self-Hosted

Unlock maximum flexibility. Choose to host on your own servers or in a cloud environment of choice.
Available for
Sonatype Firewall product logo icon Sonatype Nexus Repository product logo icon Sonatype Lifecycle product logo icon

Air-Gapped

Adhere to the strictest security standards for government and affiliated organizations. Sonatype offers the only software supply chain solution for air-gapped environments.
Available for
Sonatype Firewall product logo icon Sonatype Nexus Repository product logo icon Sonatype Lifecycle product logo icon

Explore the Sonatype platform

Sonatype Nexus Repository

Build fast with centralized components.
Explore Repository

Sonatype Repository Firewall

Intercept malicious open source at the door.

You are here

Sonatype Lifecycle

Reduce risk across software development.
Explore Lifecycle

Sonatype Lifecycle

Simplify SBOM compliance and monitoring.
Explore SBOM Manager

Work with the tools you already use

Universal repository support

sonatype-repository-logo
Sonatype Nexus Repository Pro
Better together: Protect your Sonatype Nexus Repository (Pro) with Firewall.
Jfrog-Artifactory-logo
JFrog Artifactory
Using Artifactory? No problem.
Sonatype Repository Firewall supports JFrog’s Artifactory.

Repository Firewall language support

C@2x C
C++@2x C++
Go Modules @2x Go
Gosu@2x Gosu
Java@2x Java
php@2x PHP
Python@2x Python
R@2x R
Ruby @2x Ruby
Scala@2x Scala
Swift@2x Swift
Visual Basic@2x Visual Basic

Repository Firewall package support

Maven @2x-1 Maven
Hugging Face Hugging Face
npm_logo npm
pypi @2x PyPi
nuget @2x Nuget
10-yum Yum
Go Modules @2x Go
Ruby @2x Rubygems
Conan @2x Conan
Cargo Cargo
Gradle Gradle
Conda Conda

Detect open source risks others miss

Sonatype Repository Firewall offers unmatched visibility across OSS ecosystems with 800,000+ malicious open source releases detected across public registries. Reduce your risk with Sonatype’s powerful open source policy engine powered by the most comprehensive malware intelligence with real-time analysis of behavior, metadata, and install scripts. 

Features
sonatype-firewall-logo
  • Comprehensive malware intelligence engine
  • Full policy enforcement at the repository (quarantine, compliance enforcement, and remediation)
  • Network-layer malware blocking via Zscaler ZIA plugin
  • Standalone API for custom workflows
  • Real-time open source policy enforcement for Docker containers
  • Malware protection and policy enforcement for Hugging Face models
  • Hosted repository protection from namespace confusion attacks
  • Suspicious component auto-quarantine
  • Automatic release from quarantine
  • Automated version replacement for dependencies
  • Detection and removal of existing malware from repositories

Frequently Asked Questions

What repositories are compatible with Sonatype Repository Firewall?

How can I enable malicious code detection and protection beyond my repository?

Does Sonatype Repository Firewall support container scanning?

Can Sonatype Repository Firewall detect and remove existing open source malware already in my repositories?

What kind of threats does Sonatype Repository Firewall's malicious code detection block?

How does Sonatype Repository Firewall differ from traditional SCA tools?