Block install scripts policy
The Block Install Scripts policy is a security policy that quarantines all npm packages with pre- and post-install scripts. The policy is designed to help protect your organization from potential security risks associated with install scripts.
How it works
When a developer or CI/CD environment tries to install a package with an install script, the policy will quarantine the package and prevent it from being installed on your system. You will then have the opportunity to review the install script and decide whether or not to approve the package.
Use Cases and Benefits
The Block Install Scripts policy can help protect your organization from a number of security risks, including:
- Insights: The policy will give you insights into what packages have scripts that will need to be review. Without it you might be installing malicious code without knowing about it.
- Malware: Install scripts can be used to install malware on your system. By quarantining packages with install scripts, you can help to prevent this from happening.
- Vulnerable packages: Install scripts can be used to install vulnerable packages on your system. By quarantining packages with install scripts, you can help to ensure that you only install packages that are up-to-date and secure.
- Supply chain attacks: Install scripts can be used to launch supply chain attacks on your organization. By quarantining packages with install scripts, you can help to prevent this from happening.
Enabling the Block Install Scripts policy
- Log in to your Bytesafe workspace and navigate to your firewall or registry and click on the Plugins tab
- Enable Block Install Scripts Policy.
- Done! Any package with pre- or post-install scripts will now be quarantined.
Handling Quarantined Packages
If a package is quarantined, Bytesafe will send you a notification. Follow these suggested steps to review and decide whether to approve the package:
- Access the quarantined package details
- Thoroughly review the install script(s) and package content for potential risks or issues
- Make a decision:
- If the package is deemed safe, approve it by releasing it from quarantine. The package will then become immediately available to your organization for installation.
- If the package is considered unsafe or non-compliant, keep it in quarantine. This prevents the package from being installed, as it remains unavailable to your organization.
Carefully evaluate each quarantined package to ensure the integrity of your software development process.