Quarantine
When a package has been identified as a risk by a Bytesafe plugin, you will often want to protect developer and build environments from continued use of the package. And in most instances you want to do it without human interaction.
Bytesafe quarantine functionality allows you to do that, where packages deemed a risk can be held in a secure quarantine.
A quarantined package is essentially blocked from use until it’s released from quarantine. Quarantined package versions can’t be installed by developers or downstream registries, nor can it be pushed to upstream registries.
Quarantined packages can be identified by the red border and marker in the workspace and all quarantined packages in a registry can be found by clicking on the quarantine metric on the registry dashboard.
Quarantine is a Dependency Firewall feature.
Adding packages to quarantine
A package can either be manually quarantined from the workspace or automatically by a plugin or policy.
Manual quarantine of packages is performed by clicking Quarantine for a package version.
Automatic quarantine of packages is done by Vulnerability scanner or License Compliance plugins - when automatic quarantine has been enabled in the plugin settings. See quarantine configuration for more information.
Issues and notifications
Automatic quarantine of packages by a plugin will also open issues in the workspace and trigger related notifications to active users in the registry.
Releasing packages from quarantine
Once the package has been audited and any related issues reviewed and fixed, the package can be released from quarantine, or deleted if deemed unwanted.
Configuration
Both the Vulnerability scanner, and License Compliance can be configured to automatically quarantine packages. To do so open the settings for a plugin from the plugins overview for a registry and enable quarantine.
Quarantine settings allows you to set a severity threshold for when a package will be put in quarantine.
For example, if you decide that it’s not worth breaking builds, or interrupting developers work, for low severity issues - simply adjust the threshold level.
You can also configure to only quarantine packages which have a released patch (upgrade) version available.