Repository Firewall Best Practices: Policy Compliant Component Selection

Protecting yourself from software supply chain attack with Sonatype Repository Firewall is a bit of a balancing act. Quarantining components protects you from risk, but it also creates some development friction. Quarantine too little, and you’re leaving yourself vulnerable. Quarantine too aggressively, however, and you’ll slow development to a crawl and frustrate developers without any appreciable security gains.

Policy compliant component selection helps you find a balance between friction and development speed. When enabled and configured, policy compliant component selection prompts Nexus Repository to prefer component versions that won’t be quarantined. This keeps the developer from experiencing stoppages even if they’ve requested a risky component.

Here’s an example. Say a developer requests a component without pinning a version. By default, their package manager wants to download the latest-and-greatest – let’s say version 2.3.9. But that version was released just moments ago, so it’s going to fail the Integrity-Rating policy and be quarantined. With policy compliant component selection enabled, Repository Firewall looks at previous versions of that component for a version that won’t be quarantined. If one exists – let’s say 2.3.8 – Nexus Repository fetches that version, instead.

(It’s worth pointing out here that PCCS is currently available for npm and PyPI formats, and that it’s anintegration of Repository Firewall and Nexus Repository or JFrog Artifactory.)

The single best practice for policy compliant component selection is to turn it on by default for all npm and PyPI proxy repositories. This feature doesn’t create any performance concerns and won’t measurably affect storage. And once it’s enabled, PCCS works in the background, automatically, which means that no manual administrative labor is required. For those reasons, it’s safe to enable in practically every circumstance.

But we can be even more specific than that. Because PCCS helps balance between friction and development speed, we can recommend you prioritize turning on policy compliant component selection for very-low-risk-tolerant environments. Stricter policies mean more quarantining, and those are the environments where policy compliant component selection really shines.

But another best practice is to tell developers when PCCS is enabled and educate them on how it works. Mostly, developers need to know that policy compliant component selection will behave differently depending on whether they’re pinning their dependency versions, specifying a version range, or simply letting the package manager or build tool grab the latest-and-greatest.

Next time, we’ll talk a little more about how Nexus Repository and Repository Firewall can balance friction and speed in the face of a serious supply chain threat.


Policy Compliant Component Selection

Repository Firewall Best Practices


Good share, thanks.


I agree with the statement that enabling Policy Compliant Component Selection (PCCS) by default for npm and PyPI proxy repositories is beneficial, as it helps strike a balance between ensuring the security of components and maintaining development speed.


@huk-coburg-01 Thanks for the insight, Christian! Assuming this means that you do have PCCS enabled by default? Or is it more something you’re hoping to do?

Yes, we have enabled download policy-compliant versions only by default at the proxy repositories.

1 Like