Skip to main content

Shadow Download Best Practices

Nexus Repository is the system of record (SOR) for third-party software, open-source components, and built artifacts for your organization. Shadow downloads are third-party or open-source components retrieved directly from public repositories that bypasses Nexus Repository. These components add risk by allowing in dependencies to your build pipeline without review and visibility; preventing your organization from centrally managing your artifacts.

To mitigate shadow downloads, consider the following recommendations.

  • Integrate with Zscaler

    Integrate Repository Firewall with Zscaler to provide additional defense against malware hidden within shadow downloads. This integration extends protection beyond standard repository boundaries, ensuring comprehensive coverage even if initial governance measures are bypassed.

    See Integrate Firewall with Zscaler

  • Builds only retrieve components from Nexus Repository

    Forcing builds only to use components currently cached in your Nexus Repository will act as a fail-safe to ensure that no new components are added to your projects without prior evaluation. This can be achieved by applying policies to incoming components with Repository Firewall.

  • Require all developers to use Nexus Repository

    Developers should all be required to retrieve components through your Nexus Repository instance. If it’s possible for your organization, the remote repository location should be locked to Nexus Repository for all corporate machines.

  • Block direct downloads from the public repositories within your corporate network

    Only authorized sources, such as a centrally managed Nexus Repository should be given access to download component libraries.

  • Control package managers with a managed device management (MDM) solution

    The MDM allow organizations to ensure all company laptops use package manager configurations pointing to a Nexus Repository. Use this type of software to lock configuration files or receive notifications if these settings are changed.

  • New component or repository request process

    Create an internal process allowing development teams to request content from public repositories that is not currently available through approved means. Once approved these components can be stored in designated repositories within your repository manager.

  • Enable Repository Health Check

    Repository Health check will identify open-source security risks in your proxy repositories. Enabling this feature will let you monitor your components for potential security risks. Regularly checking the Repository health check can alert you to new components that bypass your normal ingress processes.

  • Enable the Release Integrity and malicious protection

    While shadow downloads bypass the Nexus Repository, the Repository Firewall acts as a line of defense when your build systems go through your central repositories.