One command. Transparent interception.
The Vulnetix CLI routes dependency downloads through the Package Firewall proxy at packages.vulnetix.com. Every go get, go mod tidy, and go build is evaluated against your 12-policy ruleset before any code touches your machine, then logged so teams can prove exactly why each request passed, blocked, or errored. Your ruleset is checked against the Vulnetix VDB in real time; blocked requests return HTTP 403 with a JSON reason body, while clean packages stream from upstream mirrors.
$ vulnetix config set package-firewall --cvss-threshold 8.0
$ NETRC=.netrc go get github.com/beego/beego/v2@v2.0.0
go: github.com/beego/beego/v2@v2.0.0: verifying module: 403 Forbidden
{ "error": "blocked by policy",
"reason": "CVSS score 9.8 meets or exceeds threshold 8.0" }
12 policy controls, active immediately
Block by vulnerability severity
Every dependency request is checked against the Vulnetix VDB for known CVEs. If the highest CVSS v3 score on any CVE for that exact version meets or exceeds your threshold, the download is blocked before it reaches your machine.
Block by exploitation probability
EPSS, the Exploit Prediction Scoring System, measures how likely a vulnerability is to be exploited in the wild within the next 30 days. A CVE with CVSS 7.5 and EPSS 0.97 is more dangerous than one with CVSS 10.0 and EPSS 0.01. Scores update daily from FIRST.org.
Block by exploit availability probability
Coalition ESS reports Exploit Availability Probability: the likelihood that working exploit code becomes publicly available for threat actors to reuse. It answers whether an exploit is likely to be easy to find and operationalise, not just how severe the CVE is.
Block known malicious packages
blockMalware rejects any dependency flagged as a known malicious package before the module metadata even downloads. The VDB aggregates malware intelligence from OSSF Malicious Packages, OSV.dev malware advisories, and researcher-submitted samples, de-duplicated against a single corpus.
Block end-of-life dependencies
End-of-life packages accumulate unpatched CVEs — their maintainers have stopped issuing security fixes, so any new vulnerability becomes a permanent exposure. blockEol prevents teams from introducing EOL dependencies before they become a liability.
Block CISA Known Exploited Vulnerabilities
CISA KEV inclusion isn't a prediction, it's confirmation: these vulnerabilities are being actively exploited right now. US federal agencies must patch within 2–3 weeks of KEV listing; blockKev applies that same standard to your dependency pipeline automatically.
Block weaponized exploits
A weaponized exploit is attack code that is mature, reliable, and ready for adversarial use — no expertise required. Honeypot intelligence tracks when PoC code graduates from a researcher's lab to an operational weapon, the kind that powers ransomware and mass exploitation.
Block actively exploited vulnerabilities
blockActive blocks dependencies with confirmed active exploitation in the wild. CrowdSec tracks real attack traffic across millions of sensors globally; when a dependency's CVE shows up in live attack data, the proxy blocks it immediately.
Block when exploit code exists
A published proof-of-concept drastically lowers the barrier to exploitation — attackers can follow a recipe. The window between PoC publication and mass exploitation is measured in hours, not days. blockPoc closes that window for your dependency pipeline.
Block CVEs linked to bad actors
blockBadActors elevates the risk assessment when a vulnerability is associated with state-sponsored threat groups, criminal organisations, or actors with a documented track record of targeting open source supply chains. The same CVSS score means more when the attacker is a nation-state.
Delay newly published versions, carefully
Fast-follow supply chain attacks publish a malicious version seconds after a legitimate one, timed to catch automated upgrade scripts before the community notices. cooldownDays creates a time buffer — a hopeful freshness guard, not proof of safety.
Avoid being first on a release
versionLag: N blocks a version unless at least N newer versions have been published. It is release-count-based rather than time-based, but it still only guesses that later releases create more scrutiny. It does not prove the older version is safe.
One firewall across your dependency surface
Go is free for community plans. Language registries unlock on Pro, while container, OS, and infrastructure registries sit on Enterprise. 25 registries are live today:
Go
Free Livepkg.go.dev API
Free Livenpm
Pro LivePyPI
Pro LiveCargo
Pro LiveRubyGems
Pro LiveHex
Pro Livepub.dev
Pro LiveMaven
Pro LiveNuGet
Pro LiveComposer
Pro LiveConan
Pro LiveConda
Pro LiveCRAN
Pro LiveJulia
Pro LiveDocker / OCI
Enterprise LiveDebian / Ubuntu
Enterprise LiveRPM
Enterprise LiveAlpine
Enterprise LiveAUR
Free LiveArch Linux
Free LiveHomebrew
Pro LiveHelm
Enterprise LiveChef
Enterprise LiveTerraform
Enterprise LiveHow the Vulnetix Package Firewall compares
Evaluating Aikido SafeChain, Socket, JFrog Curation or DevGuard? Each is a capable supply-chain tool — here is where the Vulnetix Package Firewall is different, and where it wins.
One de-duplicated corpus, every major feed
The firewall checks each install against a malware corpus that aggregates OSSF Malicious Packages, OSV.dev malware advisories, GitHub Advisory and Vulnetix first-party research into one de-duplicated set — one of the largest in the industry, and broader than any single-feed scanner.
12 policy controls, including EOL & exploit intelligence
Beyond malware, gate installs on CVSS, EPSS, Coalition ESS, CISA KEV, weaponized / active / PoC exploit maturity, bad-actor association, cooldown and version lag — plus end-of-life blocking that competitors do not offer. Tune every threshold per ecosystem.
Block, then fix — not just alert
When a version is blocked, Safe Harbour resolves the nearest safest / latest / stable version that clears the finding and autofixes to it. This remediation step is unique to Vulnetix — found nowhere else among package firewalls.
Vulnetix Package Firewall vs Aikido SafeChain, Socket, JFrog & DevGuard
Aikido SafeChain
A free CLI that wraps npm / pnpm / yarn to block known-malicious packages at install time.
They focus on Malware interception for JavaScript package managers.
Vulnetix edge Vulnetix firewalls 25+ registries — not just JavaScript — and layers 12 configurable policies (CVSS, EPSS, Coalition ESS, CISA KEV, end-of-life, exploit maturity) on top of malware blocking, then offers Safe Harbour autofix to a known-clean version.
Socket
Socket.dev and Socket Firewall (sfw) — behavioural / AI analysis of package signals such as install scripts, obfuscation and network access.
They focus on Detecting and alerting on suspicious package behaviour, mostly across npm and PyPI.
Vulnetix edge Vulnetix adds policy-grade gating on CVSS, EPSS, Coalition ESS, CISA KEV, end-of-life and exploit maturity, draws on a de-duplicated malware corpus aggregated from OSSF Malicious Packages, OSV.dev and GitHub Advisory, and turns a block into a fix with Safe Harbour autofix — not just an alert.
JFrog Curation & Xray
Curation gates packages entering Artifactory; Xray scans artefacts for CVEs and licence issues.
They focus on Policy gating and SCA for teams already standardised on the JFrog Platform / Artifactory.
Vulnetix edge Vulnetix needs no Artifactory — it proxies any package manager directly — and adds end-of-life and exploit-intelligence policies plus Safe Harbour autofix, free for Go and Arch/AUR.
DevGuard
An open-source DevSecOps platform — SCA, SBOM, VEX and in-toto supply-chain attestations.
They focus on Self-hosted, open-source software-composition and supply-chain attestation.
Vulnetix edge Vulnetix pairs a managed VDB and de-duplicated malware corpus with exploit intelligence, a 25+ registry install-time firewall, and Safe Harbour autofix — with no infrastructure to run.
See all package firewall alternatives compared →
Package Firewall — frequently asked questions
Is the Vulnetix Package Firewall an alternative to Aikido SafeChain?
Yes. Aikido SafeChain blocks malicious npm/pnpm/yarn packages at install. The Vulnetix Package Firewall does the same across 25+ registries — not just JavaScript — and adds 12 configurable policies (CVSS, EPSS, Coalition ESS, CISA KEV, end-of-life, exploit maturity) plus Safe Harbour autofix to a known-clean version.
How is Vulnetix different from Socket?
Socket analyses package behaviour and alerts on suspicious signals. Vulnetix turns that into enforceable policy: it gates installs on CVSS, EPSS, CISA KEV, end-of-life and exploit maturity against a de-duplicated malware corpus, then remediates with Safe Harbour autofix instead of only raising an alert.
Do I need JFrog Artifactory to use the Vulnetix Package Firewall?
No. JFrog Curation gates packages entering Artifactory and Xray scans artefacts within the JFrog Platform. The Vulnetix Package Firewall is a standalone proxy in front of any package manager — no Artifactory required — and adds end-of-life and exploit-intelligence policies plus Safe Harbour autofix, free for Go and Arch/AUR.
How does Vulnetix compare to DevGuard?
DevGuard is a self-hosted open-source DevSecOps platform for SCA, SBOM and attestation. Vulnetix is a managed service that pairs a de-duplicated malware corpus and exploit intelligence with a 25+ registry install-time firewall and Safe Harbour autofix — with no infrastructure to run.
What makes Vulnetix Safe Harbour autofix unique?
When the firewall blocks a version, Safe Harbour resolves the nearest safest, latest or stable version that clears the finding and autofixes to it. Competing package firewalls block or alert; Safe Harbour autofix — fixing as well as blocking — is found only in Vulnetix.
Protect your Go workspace today
Free for community plans. One command to configure. 12 policy controls active immediately, blocking malware, critical CVEs, active exploits, and fast-follow attacks before they reach your machine.
curl -fsSL https://cli.vulnetix.com/install.sh | sh