OCI registry proxy
Route container pulls through Dependency Firewall. Every image request is evaluated against your policies before the image reaches a build agent or production node.
The next generation Dependency Firewall is launching soon. See what’s new
Container Dependency Firewall: coming late Q3 2026
Container Dependency Firewall
Block vulnerable and malicious container images before they reach your build agents, CI/CD pipelines, and production environments.
The same policy engine, audit logging, and registry-proxy architecture that runs Package Dependency Firewall for npm, Maven, PyPI, NuGet and Go, applied to OCI registries.
What Container Dependency Firewall will do
The same controls that block risky packages in npm, Maven and PyPI pipelines, applied to every container image pull.
Vulnerability blocking
Block images with known CVEs in base layers or bundled packages. Filter by CVSS and EPSS severity. New advisories take effect without redeploying the firewall.
Malware and secrets scanning
Detect malicious payloads, hardcoded secrets, and suspicious layer mutations before an image runs in your environment.
Policy engine
Rules by image name, tag pattern, registry source, base image, license, and age. Block or log-only, with time-limited exceptions.
Audit logging
Every pull, block, and exception is recorded. Exportable to your SIEM. Full trail for compliance and incident response.
Works with your existing registry
Proxies Docker Hub, GitHub Container Registry, AWS ECR, Google Artifact Registry and private OCI registries. No changes to your image references.
Interested in Container Dependency Firewall?
Get in touch and we'll reach out before general availability with early access details.