Glossary
Package Firewall Manager
What Is the Package Firewall Manager?
The Package Firewall Manager in NetRise Provenance is a declarative, YAML-based system for defining and enforcing software trust standards — automatically blocking, flagging, logging, requiring human review of, or allowing packages and dependencies based on sanctions, geography, repository health, contributor signals, advisories, and custom rules.
Most organizations evaluate dependency risk through ad hoc judgment: a developer searches, a security engineer reviews, a procurement reviewer asks the vendor. The outcome depends on who is in the room. That inconsistency is precisely what supply chain attackers exploit. The Package Firewall Manager replaces judgment calls with enforceable workflows: a policy can deny a package outright, review a component before it ships, warn on a finding, info-log a signal for later, or allow a known-good exemption.
Policies run through the provenance check CLI command against packages or SBOMs, and the same rules apply anywhere software enters the organization — developer workstations, CI/CD pipelines, container builds, vendor intake reviews, procurement gating. In CI/CD, that means a deny decision fails the build before a compromised component is ingested into the codebase. The same standard, enforced in every workflow.
Related Terms
NetRise Provenance · Blast Radius · Downstream Impact · Software Trust · Repository Health · Contributor & Organization Attribution


