# Bytesafe Dependency Firewall

Bytesafe Dependency Firewall blocks vulnerable, malicious and policy-violating open source packages before they reach developers, CI/CD pipelines and AI agents. It sits in front of your existing package registry (JFrog Artifactory, Sonatype Nexus, GitLab, GitHub Packages, Azure Artifacts) and evaluates every package request against your policy.

- Company: Bytesafe (Bitfront AB), EU-based, Sweden. Software supply chain security since 2018.
- Hosting: EU data residency. Cloud (SaaS), Managed Cloud, BYO Cloud, On-Premise.
- Ecosystems: npm, PyPI, Maven, NuGet, Go, Containers (OCI).
- Pricing model: per dependency firewall endpoint. Unlimited users, package requests and bandwidth on every plan.

## Core capabilities

- Policy engine: rules by package name, version range, age, license, CVSS/EPSS severity, provenance.
- Vulnerability blocking: block packages with known CVEs before install. CVSS and EPSS thresholds per team or registry.
- Malware scanning: block known malicious packages using dedicated malware databases (separate from vulnerability feeds).
- Safety delay: hold newly published versions for a configurable window (7 or 14 days) so the ecosystem has time to surface zero-day issues.
- Dependency confusion protection: internal packages always resolve from your private registry.
- Provenance verification: Sigstore and SLSA attestation checks. Detect version swaps and pipeline tampering.
- Publish scanning: scan packages for malware, secrets and sensitive data before upload to an upstream registry.
- Audit log: every block, allow and exception recorded and exportable to SIEM.
- Live decision logs: package, version, requester, rule and outcome visible to developers and security teams.
- Time-limited exceptions with reason and expiry. Exceptions expire automatically.
- Policy as code: configuration in Git. API-driven.

## How it works

1. Route CI/CD pipelines and developer tooling at Dependency Firewall instead of public registries directly.
2. Define rules: vulnerability thresholds, malware scanning, safety delays, allowlist/blocklist. Multiple firewalls per environment or team.
3. Every package request is evaluated in real time. Blocked packages are logged with the rule that triggered. Approved packages are served transparently.

No agent installs. No workflow changes. Standard package managers (npm, bun, yarn, mvn, pip, nuget) keep working. Only the registry URL changes.

## Pages

- /firewall: product overview, capabilities, screenshots, FAQ.
- /firewall-next-gen: differences between the new firewall and the current production firewall, plus migration information for existing customers.
- /how-dependency-firewall-works: architecture, what is checked on every request, how decisions are logged.
- /platform: both products on one page (Dependency Firewall and SBOM Observer) and how they cover CRA, NIS2, DORA and EO 14028.
- /pricing: Cloud and Enterprise plans, add-ons, comparison.
- /about: company background.
- /use-cases: specific scenarios (malware blocking, vulnerability blocking, CI/CD protection, zero-day safety delay, dependency confusion, license enforcement).
- /what-is-a-dependency-firewall: product-anchored explainer covering the definition, preventive vs. detective distinction, differences from SCA and repo managers, and how Bytesafe implements it. Links to dependencyfirewall.com for the full category reference.
- /security: deployment options (managed SaaS, BYO Cloud, on-premise, partner/MSP), data residency, DPA, who operates it.
- /contact: get in touch.

## Reference content

- [llms-full.txt](https://bytesafe.dev/llms-full.txt): full curated content for all pages above, single file.
- [sitemap.xml](https://bytesafe.dev/sitemap.xml): machine-readable list of all pages.