Bulwark – 종속성이 없는 공급망 보안 게이트웨이

Bulwark is a lightweight, zero-dependency security gateway that sits between your package managers and public registries (PyPI, npm, Maven Central). It inspects every package request against configurable policy rules and blocks anything risky, before it reaches your developers or CI pipeline. No database, UI, or vendor lock-in; just a single Go binary per ecosystem, a YAML config file, and full control over your software supply chain. Software supply chain attacks are the fastest-growing threat vector in the industry. From event-stream, ua-parser-js to PyPI malware campaigns, these attacks hit organizations of every size. Threats like the Shai-Hulud virus can reach any developer with a laptop connected to the internet. The risk is getting worse. AI agents have lowered the barrier to development, which great for innovation, but many new developers aren't aware of package management and supply chain security risks. Teams face three choices: - Do nothing — trust the open-source ecosystem. Fast, but completely unprotected. - Buy a commercial platform — enterprise artifact repositories and SCA scanners exist. You get controls, but at significant cost with opaque rule engines and vendor lock-in. - Bulwark — a transparent, self-hosted policy layer you own. Write rules in YAML. Version-control them. Deploy on Friday afternoon. Immediately protect your org. Watch Bulwark automatically apply safety rules to protect your package stream. Step 1: Start Bulwark docker-compose -f docker-compose.demo.yml up -d Wait ~10 seconds for the container to boot. Check health: curl http://localhost:18001/healthz Step 2: Configure npm npm config set registry http://localhost:18001/ Step 3: Install a Well-Established Package npm install lodash This succeeds. lodash is years old and passes Bulwark's 7-day minimum age check. Step 4: Try a Known-Malicious Package (Blocked by Policy) npm install event-stream This fails. event-stream is on the deny list (compromised in 2018), so Bulwark blocks it before any code reaches your machine. Step 5: Try a Package with Install Scripts (Blocked by Policy) npm install bcrypt This fails. bcrypt has native install scripts in every published version, and it isn't in the trusted allowlist. Bulwark strips all those versions, leaving nothing installable. Your policies are enforced at the network level — no potentially malicious scripts execute. Step 6: Try a Typosquatted Package (Blocked by Policy) npm install loadsh This fails. loadsh is 1 edit away from lodash , typical typosquat. Bulwark's Levenshtein distance check catches it automatically and blocks the install. Real supply chain attacks use exactly this technique. Step 7: Try a Brand-New Package npm install any-package-published-today This fails. Even if legitimate, Bulwark's 7-day quarantine window blocks it by default. This prevents zero-day exploits before the community has time to discover them. To clean up: docker-compose -f docker-compose.demo.yml down npm config delete registry # restore default npm registry # Remove the Docker images built during the demo docker rmi bulwark-npm:latest bulwark-pypi:latest bulwark-maven:latest 2>/dev/null # Remove any dangling build cache docker builder prune -f When a package request arrives: - Package check: Does the package name match your deny lists? Is it typosquatted? Does it look suspicious? Block immediately if any rule fires. - Version filtering: For allowed packages, Bulwark fetches the version list from the upstream registry and filters each version: - Too new? Block if published /json passthrough, external tarball proxy with allowlist. - npm: Packument filtering, tarball proxy, scoped packages ( @scope/pkg ), install script detection. - Maven: maven-metadata.xml filtering, checksum invalidation, artifact policy, SNAPSHOT blocking. - Shared rule engine: Trusted package allowlists, pre-release blocking, age quarantine, license filtering, version pinning, deny lists, regex patterns, namespace protection, typosquatting detection, velocity anomalies, dry-run mode. - Operational: YAML config, structured logging (log/slog), dynamic log-level API, disk file logging, in-memory TTL cache, /healthz &/readyz probes, JSON metrics. - No prerequisites for pre-built binaries — download and run. - Go 1.26+ (only if building from source) - Docker (optional, for containerized deployment) The fastest way to get started. The installer downloads the correct binary for your platform, installs it, configures your package manager, creates an autostart entry, and applies the best-practices security rules — all in one command. macOS / Linux: curl -fsSL https://raw.githubusercontent.com/Bluewaves54/Bulwark/main/scripts/install.sh | bash Windows (PowerShell): irm https://raw.githubusercontent.com/Bluewaves54/Bulwark/main/scripts/install.ps1 | iex Install specific ecosystems only: macOS / Linux — install only the npm and pypi proxies: curl -fsSL https://raw.githubusercontent.com/Bluewaves54/Bulwark/main/scripts/install.sh | bash