Bytesafe Logo
Contact sales Book a demo

Stop Attacks Before They Enter

Bytesafe Dependency Firewall blocks vulnerable and malicious packages before they reach your developers, CI/CD pipelines and AI agents.

Book a demo Contact sales
EU-based company | EU-hosted infrastructure | EU data sovereignty
demo.bytesafe.dev / Firewall
47
Blocked today
1,284
Requests today
12
Active rules
Package
Rule
Status
malicious-pkg
Malware
BLOCKED
lodash@4.17.20
CVSS ≥ 7.0
BLOCKED
react@19.1.1
Allowlist
APPROVED
new-release@0.0.1
Age < 7d
DELAYED
Blocked
malicious-pkg@2.1.0
Malware
Delayed
new-release@0.0.1
Age < 7d
Approved
react@19.1.1
Allowlist

Supported ecosystems

npm Maven PyPI NuGet Go

What is a Dependency Firewall?

Every package install is a potential entry point. Traditional SCA tools find problems after packages are already in your environment. Bytesafe Dependency Firewall intercepts every request before it reaches your developers, CI/CD pipelines or AI agents.

You define the rules: block packages with known CVEs, block known malicious packages or delay newly published versions for a configurable period to give the ecosystem time to surface zero-day threats before they reach you.

Works in front of enterprise repositories like JFrog Artifactory, Sonatype Nexus and similar. No agent installs. No workflow changes.
See all capabilities
Public Registries
npm, Maven, PyPI, NuGet
Your Repositories
Artifactory, Nexus, GitLab
Vulnerable packages
Bytesafe
Bytesafe Firewall
Policy Engine
Vetted & compliant
Developers & CI/CD
Internal network

Everything included. No add-ons. No usage fees.

Key Capabilities

Policy Engine

Rules by package name, version range, age, source, license, and custom criteria. Block or log-only, with time-limited exceptions. Re-evaluated on every request.

Vulnerability Blocking

Block packages with known CVEs before install. Filter by CVSS and EPSS severity per registry or team. New advisories take effect immediately.

Malware Scanning

Detect malicious payloads, suspicious install hooks, and obfuscated code before execution. Quarantined packages are logged, never silently dropped.

Provenance Verification

Verify packages were built by expected publishers using Sigstore and SLSA attestations. Detect pipeline swaps and version downgrades early.

Dependency Confusion

Block namespace attacks where public packages impersonate your internal ones. Configurable upstream priority rules ensure private packages always win.

Package Observations

Every package is fingerprinted: first-seen date, download frequency, requester, version age. New or unusual patterns are flagged automatically.

Audit Logging

Every block, allow, and exception is recorded and exportable to your SIEM. Built to make security teams and auditors happy, out of the box.

Dashboard & Metrics

Real-time security posture across all registries. See what's blocked and why, which teams trigger the most flags, and how exposure trends over time.

Publish Scanning

Packages are scanned for malware, secrets and sensitive data before they are published to an upstream registry.

Firewall Rules

Define exactly what gets through and what doesn't

Each rule targets an ecosystem and applies a condition: vulnerability severity, package age, license type or name pattern. Rules either block or log. Stack multiple rules per firewall. Changes take effect immediately.

Expand

Live Firewall Logs

See what's happening per firewall and per user, in real time

Every blocked package is logged: package name, version, status, ecosystem, which firewall evaluated it, which rule triggered, and who requested it. Filter by firewall or user. Tail live during incidents or CI/CD runs.

Expand

Block Reason Details

Know exactly why every package was blocked

Every blocked package shows full context: ecosystem, version, publish date, the rule that triggered, and whether the effect is block, log, or both. No guesswork for developers or security teams.

Expand

Security Dashboard

Track your security posture across all firewalls

Monitor rules triggered, exceptions granted, and package requests over time. See which firewalls are most active, spot trends, and verify your policies are working as expected.

Expand

Transparent protection in three steps

How It Works

A security layer between the public internet and your package repository. Your developers and pipelines notice nothing.

Step 01

Route package requests through Bytesafe

Instead of pulling public packages directly without oversight, point your CI/CD pipelines and developer tooling at Bytesafe. Every package request passes through the firewall before reaching your environment.

Step 02

Define your security policies

Set vulnerability thresholds, enable malware scanning, configure safety delays for new versions, and write allowlist/blocklist rules. Create multiple firewalls with individual rules to comply with different requirements across your organization.

Step 03

Bad packages are blocked. Safe ones flow through.

Every request is evaluated in real time. Blocked packages is logged with the policy that triggered. Approved packages are served transparently.

Works with the repositories you already use

JFrog Artifactory
Sonatype Nexus
GitLab
GitHub Packages
Azure Artifacts
AWS CodeArtifact

Common questions from security and engineering teams

Frequently Asked Questions

Can different projects have different policies? +
Yes. You can create separate firewalls per project. They are lightweight and easy to clone. You can also differentiate by the user or token used for the session. Firewall configurations are small JSON files that can be managed in Git.
How does malware detection work? +
We use multiple data sets and a scanning engine that detects known viruses and malware, combined with ecosystem-specific data sets of known malicious packages. Detection is based on known rules, patterns, and fingerprints, not AI-generated analysis.
What happens if a package passes through but malware is found later? +
The firewall tracks all packages via observations: first-seen date, last-seen date, and which firewalls they passed through. When new malware data surfaces, you can see exactly which projects downloaded the affected package and when. This gives your AppSec team a clear investigation trail.
Are there alerts when a package is blocked? +
The package manager reports the version could not be found, which breaks the build. Developers and CI/CD check the firewall logs (via UI or CLI) to see exactly which rule triggered and why. Audit entries include package name, version, user, IP, and the blocking rule.
Can firewall rules be automated? +
Yes. All configuration is available via API. Post JSON to add, remove, or modify rules. Configurations can be version-controlled in Git and deployed through your existing automation. All changes are tracked with full rollback support.
Does Bytesafe work with JFrog Artifactory? +
Yes. Bytesafe speaks the same protocols as your package managers, so it's fully transparent to Artifactory, Nexus, and other repositories. Bytesafe evaluates each package against your defined policies before it's served.
Can packages be delayed before they reach developers? +
Yes, this is one of the most used features. You can delay access to new external package versions by a configurable period (e.g. 7 or 14 days), giving the ecosystem time to discover zero-day malware or vulnerabilities before the package reaches your environment.
How is licensing structured? +
Two models: per-user pricing that gets cheaper as you scale, or a pipeline protection plan for CI/CD-only environments. All supported ecosystems are included. No usage-based fees, no per-scan charges, no bandwidth limits.

See the firewall kick in

Watch it block real threats like vulnerable and malicious packages. We'll walk you through how it fits into your environment. No commitments, no migration required.

Book a demo Contact sales