Block install scripts policy

Quarantines all npm packages with pre- and post-install scripts.

The Block Install Scripts policy is a security policy that quarantines all npm packages with pre- and post-install scripts. The policy is designed to help protect your organization from potential security risks associated with install scripts.

How it works

When a developer or CI/CD environment tries to install a package with an install script, the policy will quarantine the package and prevent it from being installed on your system. You will then have the opportunity to review the install script and decide whether or not to approve the package.

Please note that it’s common for packages to depend on install scripts, so there may be some initial review work required.
This policy currently supports the npm ecosystem

Use Cases and Benefits

The Block Install Scripts policy can help protect your organization from a number of security risks, including:

  • Insights: The policy will give you insights into what packages have scripts that will need to be review. Without it you might be installing malicious code without knowing about it.
  • Malware: Install scripts can be used to install malware on your system. By quarantining packages with install scripts, you can help to prevent this from happening.
  • Vulnerable packages: Install scripts can be used to install vulnerable packages on your system. By quarantining packages with install scripts, you can help to ensure that you only install packages that are up-to-date and secure.
  • Supply chain attacks: Install scripts can be used to launch supply chain attacks on your organization. By quarantining packages with install scripts, you can help to prevent this from happening.

Enabling the Block Install Scripts policy

  1. Log in to your Bytesafe workspace and navigate to your firewall or registry and click on the Plugins tab
  2. Enable Block Install Scripts Policy.
  3. Done! Any package with pre- or post-install scripts will now be quarantined.

Handling Quarantined Packages

If a package is quarantined, Bytesafe will send you a notification. Follow these suggested steps to review and decide whether to approve the package:

  1. Access the quarantined package details
  2. Thoroughly review the install script(s) and package content for potential risks or issues
  3. Make a decision:
    • If the package is deemed safe, approve it by releasing it from quarantine. The package will then become immediately available to your organization for installation.
    • If the package is considered unsafe or non-compliant, keep it in quarantine. This prevents the package from being installed, as it remains unavailable to your organization.

Carefully evaluate each quarantined package to ensure the integrity of your software development process.