Firewall Policy Management
This guide explains how to configure and manage policies in Safety Firewall to control package installation behavior across your organization.
Understanding Firewall Policies
Policies define how Safety Firewall responds when users attempt to install packages. You can configure policies to:
Warn users about vulnerabilities
Block installation of vulnerable or malicious packages
Apply different rules based on vulnerability severity
Set organization-wide or codebase-specific policies
Policy Hierarchy
Safety Firewall policies follow a hierarchical structure:
Organization Policies: Apply to all users and codebases
Codebase Policies: Specific to individual codebases, override organization policies
Default Policies: Applied when no specific policies are defined
Default Policies
Safety Firewall includes sensible default policies out of the box:
Installation: Warns on all vulnerability severities
Scanning: Reports all vulnerabilities regardless of severity
Malicious Packages: Blocks known malicious packages
Accessing Policy Management
To manage policies:
Navigate to "Organization" → "Policies" for organization-wide policies
Navigate to a specific codebase and select the "Policies" tab for codebase-specific policies
IMPORTANT: the visual Policy Builder wizard in Safety Platform does not yet support Firewall policies. Until this is supported, you must select the Advanced Configuration option on the policy configuration page.
Policy Structure and Syntax
Safety Firewall policies use a JSON structure with specific rules for allowing and denying packages or vulnerabilities.
Basic Policy Structure
Configuring Allow and Deny Rules
Allow Rules
Allow rules specify packages or vulnerabilities that should be explicitly permitted:
Deny Rules
Deny rules specify packages or vulnerabilities that should trigger warnings or blocks:
Complete Policy Example
Here's a complete policy example that:
Allows specific package versions
Exempts specific vulnerabilities with explanations
Warns on packages less than 3 months old and on critical/high vulnerabilities
Blocks packages less than 1 month old and packages with critical vulnerabilities
Common Policy Patterns
Basic Security Policy
Warn on high severity vulnerabilities, block critical ones:
New Package Caution
Warn about packages that are less than 3 months old:
Best Practices for Policy Management
Start Permissive: Begin with warning-only policies to minimize disruption
Gradually Increase Restrictions: Tighten policies as your team becomes familiar with Safety Firewall
Communicate Changes: Inform your team before implementing blocking policies
Add Documentation: Use the
"reason"
field to document why exceptions are being madeSet Expirations: Always include an
"expires"
date for vulnerability exceptionsMonitor Impact: Watch the Firewall logs to see how policies affect your team's workflow
Last updated
Was this helpful?