Configure your package manager
The firewall runs as a registry proxy. Point each package manager at it once — in the project or CI config — and every install is evaluated against policy before it resolves. No agent on the developer machine; it is pure registry configuration.
How it works
Each ecosystem’s client is told to use the dpndncY firewall as its registry/mirror. The firewall evaluates the requested package@version against policy, records a signed verdict, and (in enforce) returns 403 for a block — otherwise it transparently forwards to the upstream registry.
Per-ecosystem configuration
npm — .npmrc
registry=https://firewall.dpndncy.example.com/npm/
//firewall.dpndncy.example.com/npm/:_authToken=${DPNDNCY_TOKEN}PyPI — pip.conf
[global]
index-url = https://firewall.dpndncy.example.com/pypi/simple/Maven — settings.xml
<mirror>
<id>dpndncy</id>
<mirrorOf>*</mirrorOf>
<url>https://firewall.dpndncy.example.com/maven/</url>
</mirror>NuGet — NuGet.Config
<packageSources>
<clear />
<add key="dpndncy" value="https://firewall.dpndncy.example.com/nuget/v3/index.json" />
</packageSources>Go / Cargo / RubyGems
# Go
export GOPROXY=https://firewall.dpndncy.example.com/go/
# Cargo (.cargo/config.toml) — set a [source] replacement to the dpndncy registry
# RubyGems
gem sources --add https://firewall.dpndncy.example.com/rubygems/ --remove https://rubygems.org/Configure CI, not laptops
The highest-leverage place to point at the firewall is your CI/build config — that’s where installs become artifacts. Developer machines are optional.
Air-gapped
In air-gapped environments the firewall fronts an internal mirror and serves from its local cache, so installs work with no outbound access. See Air-gapped install.