See how Bytesafe stops risky dependencies before install

Bytesafe sits between developers, CI/CD pipelines and public package registries to inspect package requests, enforce policy and stop malicious, vulnerable or non-compliant dependencies before they enter your environment.

Book a Demo

A control point before packages enter your environment

Bytesafe intercepts every package request before the package reaches a developer, pipeline, or internal repository.

Public registries

npm

PyPI

Maven

NuGet

OCI

Docker

package requests

Bytesafe Dependency Firewall

Policy engine

APPROVED

BLOCKED

DELAYED

BY EXCEPTION

vetted packages

Your environment

Developers

CI/CD pipelines

AI coding agents

Existing repository manager

Public registries

npm

PyPI

Maven

NuGet

OCI

Docker

Bytesafe Dependency Firewall

Policy engine

APPROVEDBLOCKEDDELAYEDBY EXCEPTION

Your environment

Developers

CI/CD pipelines

AI coding agents

Existing repository manager

What happens to every package request

From the moment a package is requested to the moment it is allowed, blocked or flagged for review.

Request

A developer, CI/CD pipeline or AI agent runs a package install.

Intercept

Bytesafe receives the request before the package reaches the environment.

Evaluate

The package is checked against policy: malware, CVEs, licenses, age and provenance.

Decide

The package is approved or blocked. Exceptions can be approved by an admin.

Log

The result is recorded with the rule, requester and timestamp.

What Bytesafe checks on every request

Every package request is evaluated in real time against the active policy set.

Malware and known malicious packages

Detects malicious payloads, suspicious install hooks and packages flagged in malware databases.

Vulnerabilities and severity thresholds

Blocks packages with CVEs above a configurable CVSS or EPSS score. New advisories take effect immediately.

Dependency confusion and namespace risk

Blocks public packages that impersonate internal ones. Private packages always resolve first.

License and compliance policy

Blocks packages with disallowed licenses before they reach a build.

Package age and new releases

Holds newly published versions for a configurable window (7 or 14 days) to let the ecosystem surface zero-day issues.

Provenance and trust signals

Verifies package origin using Sigstore and SLSA attestations. Detects version swaps and pipeline tampering.

Ecosystem-specific rules

Supports npm, PyPI, Maven, NuGet, Go and OCI with ecosystem-aware policy controls.

Custom organization policy

Block or allowlist by package name, version range, requester, team or upstream source.

Firewall Rules

Each rule targets one or more conditions. Rules either block the request or log it. Multiple rules stack per firewall and take effect immediately on save.

What the policy engine can filter on

Package name / version patterns
Upstream
Internal / external packages
Vulnerability severity, based on CVSS and EPSS thresholds
Known malware signatures
Package age (minimum days since publish)
Provenance downgrade
Secrets scanning (publish only)
Deprecations
Previous observations

Secure defaults (always-on rules)

Dependency confusion protection
Upstream disagreements

Rules as code

Manage rules via API, integrating with GitOps and automation pipelines
Roll back to a previous configuration at any time

Edit Rule

Enabled

Execution Flow

download ∨

Selector

Function

Vulnerabilities∨

Max CVSS Score

Max EPSS Score

Allow Patches

Upstream

Any∨

Package

Version

Version Range

Max Age

None∨

Internal

Any∨

Effect

Block the request, or log only (dry run)

Block

Log

States, clearly logged

Every package request ends in one of four states: approved, blocked, delayed or approved by exception. All are recorded with the same level of detail.

Approved

The package meets policy. It passes through and reaches the developer or pipeline with no interruption.

Blocked

The package violates policy. It is stopped before install. The developer and CI/CD log show the rule that triggered.

Delayed

The package version is newly published. It is held for a configurable window (7 or 14 days) to give the ecosystem time to surface zero-day issues before it reaches your environment.

Approved by Exception

The package would normally be blocked, but an admin has approved an exception. The exception is time-limited and logged with the reason.

Works with the repositories you already use

Bytesafe acts as a proxy in front of your existing repository. Developers and CI/CD pipelines keep their existing registry URLs and credentials. No migration required.

JFrog Artifactory

Sonatype Nexus

GitLab

GitHub Packages

Azure Artifacts

AWS CodeArtifact

Supported ecosystems

npm

Maven

PyPI

NuGet

OCI

Docker

Scanner vs. firewall: a different model

Scanners find issues after dependencies are already in the environment. A dependency firewall stops them before they arrive.

Scanner-based detection

Finds issues after the fact

Dependencies are downloaded before scanning runs.
Vulnerable packages reach the environment first, then trigger a remediation cycle.
The same advisory fires repeatedly until someone removes the package.
Scanners do not prevent install. They flag it after.

Firewall-based prevention

Stops packages before they enter

The request is evaluated before the package is served.
Blocked packages never reach a developer machine or build artifact.
No remediation cycle for packages that never arrived.
Decisions are enforced at request time, not at scan time.

Common ways teams use Dependency Firewall

Security, DevOps and engineering teams use Dependency Firewall to stop risky packages and enforce policy across their development environment.

Block malicious packages before install

Prevent known malware and account-takeover packages from reaching any developer or build.

Learn more

Enforce dependency policy in CI/CD

Route pipelines through the firewall and apply the same rules on every build, automatically.

Learn more

Protect against dependency confusion

Ensure internal package names always resolve from your private registry.

Learn more

Control open source intake across teams

Apply different policies per team, project, or pipeline with separate firewall configurations.

Learn more

Grant time-limited exceptions for specific packages

Admins can grant exceptions for packages that would otherwise be blocked, with a reason and expiry logged.

Learn more

Improve auditability of package decisions

Every allow, block and exception is logged with the rule, requester and timestamp.

Learn more

Put dependency policy enforcement in front of your package flow

See how Bytesafe can protect your developers, builds and existing repository setup from risky open source packages.

Book a Demo