Skip to main content

Configure Policies and Policy Sets

Last updated on

Dependency Firewall uses Harness Policy as Code to evaluate artifacts against security rules. To get started, you need to create policies and policy sets that define the evaluation criteria for your upstream proxy registries.

Prerequisites

Before configuring policies for Dependency Firewall, familiarize yourself with Harness Policy as Code:

Policies are written in Rego, the policy language from Open Policy Agent (OPA). If you're new to Rego, check out the free OPA Policy Authoring course.

Dependency Firewall Policy Templates

When creating a policy in the Harness Policy Library, you'll find built-in templates specifically designed for Dependency Firewall. You can use these templates as-is, customize them to match your requirements, or create your own custom policies from scratch using the Rego language.

CVSS Threshold Evaluates artifacts based on Common Vulnerability Scoring System (CVSS) scores. Use this template to block or warn about vulnerabilities above a certain severity level. You can customize the threshold values to match your organization's risk tolerance.

License Policy Checks artifact licenses against your organization's approved or blocked license list. This template helps ensure compliance with your licensing requirements by evaluating whether an artifact's license is allowed for use. You can modify the allowed list to customize which licenses are acceptable for your organization.

Package Age Evaluates artifacts based on their age or release date. Use this template to block newly released packages during a cooldown period, helping prevent the use of untested versions that may contain security issues or bugs.

OSS Risk Level Evaluates artifacts based on their open-source risk score. Use this template to block or warn about packages that exceed a configured risk threshold. Risk scores factor in maintenance status, known vulnerabilities, and community health indicators.

Malicious Package Detects packages that have been flagged as malicious in threat intelligence databases. Use this template to automatically block any package version identified as containing malware, typosquatting attempts, or other malicious payloads.

tip

You can edit any of these templates or create completely custom policies using Rego. The templates provide a solid foundation that you can modify to suit your specific security requirements.

Important: When customizing policies, ensure that the output format of the policy remains the same. The Dependency Firewall expects a specific output structure to properly evaluate and categorize violations.

Entity Type for Dependency Firewall

When creating or editing policies for Dependency Firewall, you must select the entity type: Upstream Proxy. This entity type is specific to Dependency Firewall and ensures that your policy appears in the policy library when creating policy sets for upstream proxy registries.

Creating Policy Sets

To create and enforce a policy set for Dependency Firewall:

  1. Follow the standard process for creating a policy set in Harness. When creating the policy set, make sure to:
  • Set the Entity Type to Upstream Proxy
  • Set On what event should the policy set be evaluated to On Evaluation
  • Select the scope where the policy set will apply (Account, Organization, or Project level)
  • Click Add Policy and select the Dependency Firewall policies you created earlier
  • Save the policy set

  1. On the Policy evaluation criteria step, set the fail action for each policy in the set. This is what Dependency Firewall uses at pull time to decide the artifact verdict.

    Policy evaluation criteria step in the Policy Set wizard, showing three policies (firewall-age, firewall-license, firewall-vulnerability) each with a fail action dropdown set to Error and exit or Warn & continue

    For each policy, choose one of two fail actions:

    • Error and exit: if this policy fails, the artifact verdict is Blocked. The artifact is not cached in the upstream proxy and cannot be used. An exemption is required to consume it.
    • Warn & continue: if this policy fails, the artifact verdict is Warning. By default the artifact is still cached and remains usable; the violation only shows up on the Dependency Firewall dashboard. If the upstream proxy registry has Quarantine artifacts on 'Warn and Continue' fail criteria selected, the artifact is also quarantined and requires an exemption. Go to How the quarantine checkbox behaves to understand the full behavior.

    You can mix fail actions across policies in the same set. For example, set vulnerability policies to Error and exit for hard enforcement and set license or package age policies to Warn & continue for visibility-only enforcement.

  2. Enable enforcement by navigating to the Policy Sets list, finding your Dependency Firewall policy set, and toggling the Enforced switch to ON.

When enforced, the policy set automatically applies to all upstream proxy registries with Dependency Firewall enabled within the policy set's scope. Account level applies to all upstream proxy registries in the account, Organization level applies to all upstream proxy registries in that organization, and Project level applies only to upstream proxy registries in that specific project.

Important

Policy sets only apply to upstream proxy registries that have Dependency Firewall enabled. Make sure to enable Dependency Firewall in your upstream proxy registry configuration.