
Block malicious code with the most powerful open source policy engine
Enterprise-wide oss malware protection
Proactively detect and defend against open source malware across your software supply chain. Sonatype Repository Firewall is the only solution that enables you to block open source malware at the perimeter, before it enters your repository, and in your workflows.
Leveraging our powerful intelligence engine, Repository Firewall finds and blocks malware other solutions miss — including malware found in shadow downloads to protect your infrastructure from developers downloading components outside your repository.

+ 
Block malicious code at the edge
The power of Sonatype Repository Firewall just got better. You can now block open source malware and other malicious code at the edge with our new integration with Zscaler ZIA.
PREVENT MALICIOUS CODE
Stop open source malware before it reaches your developers

Detect and block malware at the network edge, in repositories, and across pipelines
Repository Firewall identifies and stops malicious components before they enter your SDLC no matter how they try to get in — whether a command line package request, Hugging Face model, or dependency added during a build.
Remove existing malicious code from repositories
Identify suspicious behavior using AI analysis
Unmatched malicious code prevention
Ensure your team is working with the best available open source. Sonatype Repository Firewall stops open source risks others can’t see with the industry's most comprehensive intelligence engine, powered by years of research and real-time behavioral analysis across millions of components.
With over 800,000 malicious packages detected across npm, PyPI, Maven, and other registries, our open source malware intelligence engine leads the industry in both scale and depth.
It’s not just what we block — it’s what we know that sets us apart.

Is there open source malware in your shadow downloads?
Shadow downloads are often inevitable — but that doesn't mean you can't be protected. Learn how to adjust your security strategy to defend against open source malware.
GOVERN OPEN SOURCE POLICIES
Manage open source risks with the leading policy engine

Apply broad protection to networks and pipelines
Block known malicious components at the edge and during CI with repository integrations for full open source policy enforcement including compliance, quarantine, remediation, and audit visibility.
Set Open Source Policy Based on Risk Tolerance
Decide which components and AI models are allowed into your repository based on risk factors like age, popularity, and licensing credentials.
PROTECT AGAINST THE UNKNOWN
Set open source policy to intercept suspicious components, even before they are publicly disclosed as vulnerable.
CONFIGURE AUTOMATIC COMPLIANCE
Prevent applications from moving forward with unwanted or unapproved components and AI models.
Increase security for Hugging Face AI models
Sonatype Repository Firewall applies the same advanced malware prevention and policy enforcement logic to AI models as it does to open source packages — automatically blocking unsafe Hugging Face components before they reach development.
ACCELERATE DEVOPS PIPELINES
Secure development without slowing it down

Empower developers with transparent, automated malicious code prevention that fits naturally into fast-moving pipelines and modern environments.
Block downloads without impeding productivity
With our Zscaler ZIA plugin, developers stay protected from open source risks without needing to change how they work.
Integrate security into your CI/CD workflows
Automate security checks where you need them to identify open source malware using our standard API.
Eliminate remediation delays with proactive malware protection and clean inputs
By stopping issues before they enter development, teams avoid costly rework and accelerate release cycles.
“As open source vulnerabilities became increasingly problematic in recent years, particularly with Log4j, monitoring and enforcing software composition took on a greater sense of urgency. USPTO turned to Repository Firewall for the ability to block malicious packages from the start.”
Run products anywhere
Cloud


Self-Hosted



Air-Gapped



Explore the Sonatype platform
Intercept malicious open source at the door.
You are here
Work with the tools you already use
Universal repository support

Sonatype Nexus Repository Pro
Better together: Protect your Sonatype Nexus Repository (Pro) with Firewall.
JFrog Artifactory
Using Artifactory? No problem.Sonatype Repository Firewall supports JFrog’s Artifactory.
Repository Firewall language support












Repository Firewall package support











Detect open source risks others miss
Sonatype Repository Firewall offers unmatched visibility across OSS ecosystems with 800,000+ malicious open source releases detected across public registries. Reduce your risk with Sonatype’s powerful open source policy engine powered by the most comprehensive malware intelligence with real-time analysis of behavior, metadata, and install scripts.
Features

-
Comprehensive malware intelligence engine
-
Full policy enforcement at the repository (quarantine, compliance enforcement, and remediation)
-
Network-layer malware blocking via Zscaler ZIA plugin
-
Standalone API for custom workflows
-
Real-time open source policy enforcement for Docker containers
-
Malware protection and policy enforcement for Hugging Face models
-
Hosted repository protection from namespace confusion attacks
-
Suspicious component auto-quarantine
-
Automatic release from quarantine
-
Automated version replacement for dependencies
-
Detection and removal of existing malware from repositories
Related Resources
From reactive to proactive: tracing the time and effort saved by blocking malicious components early
Frequently Asked Questions
What repositories are compatible with Sonatype Repository Firewall?
Sonatype Repository Firewall offers repository security with full support for both Sonatype Nexus Repository and JFrog Artifactory.
How can I enable malicious code detection and protection beyond my repository?
Does Sonatype Repository Firewall support container scanning?
Can Sonatype Repository Firewall detect and remove existing open source malware already in my repositories?
What kind of threats does Sonatype Repository Firewall's malicious code detection block?
How does Sonatype Repository Firewall differ from traditional SCA tools?