Skip to content

Upwarden documentation

Upwarden is a self-hosted dependency firewall that sits between your package managers and the public registries, stripping malicious and unanalyzed package versions before they reach your code — without breaking your build.

This index walks the customer journey linearly: Discover → Connect → First SAFE → Harden → Operate → Master. Each entry carries its primary personas inline so you can scan for the docs that match your role.

Before you touch anything, here’s how Upwarden decides what to block, what to pass, and what to hold.

  • Verdicts & the scanner — how Upwarden decides SAFE / BLOCKED / QUARANTINED. [security] [dev]
  • Silent rollback — why floating ranges stay green even when a specific version is blocked. [dev] [security]
  • Tenants, projects, API keys — the three-level access surface your CI topology maps onto. [org-admin] [security] [devops]
  • CI runner attribution — three trust tiers on every audit row; what actor_source = oidc_github means and why it matters. [security] [org-admin] [devops]

The first round-trip: a vk_ key, a registry URL, and one install command.

  • Installation — stand up Upwarden or get the URL for your hosted instance. [devops]
  • Create your first key — mint a project API key for a CI runner. [org-admin] [devops]
  • Quickstart — one CI snippet per ecosystem (npm, PyPI, Cargo, NuGet, Maven, Go). [dev] [devops]

The “did anything actually happen” check.

  • Verify it’s working — what a successful install looks like and how to read the audit log to confirm. [dev] [devops]

Harden — set policy and tighten the perimeter

Section titled “Harden — set policy and tighten the perimeter”

Once the proxy is in the path, decide what it enforces.

Operate — the dashboard and the day-to-day

Section titled “Operate — the dashboard and the day-to-day”

The pages you’ll spend the most time on once Upwarden is enforcing in production.

The full map lives at Dashboard surfaces. The most-frequently-used pages:

  • Audit log — investigate every install decision, membership change, and policy edit. [security] [org-admin]
  • Packages search — look up a package’s verdict, allowlist / blocklist matches, and the recent audit fragment from one screen. [security] [dev]
  • Policies and overrides — edit the org’s enforcement policy and, on Org+, deviate from tier defaults. [security] [org-admin]
  • Members and teams — invite, role, suspend, team-scope. [org-admin] [security]
  • Identity & SSO panel — bind Stytch, manage SAML / OIDC, claim domains, read JWKS. [security] [devops]
  • Your account and step-up auth — your own profile, sessions, passkeys, the “Confirm it’s you” prompt. [dev] [org-admin]
  • Querying the audit log — JSON-API patterns when the dashboard’s filters aren’t enough. [security] [devops]
  • Troubleshooting — when an audit row points at a misconfiguration rather than a deliberate block. [dev] [devops]
  • When your org is suspended — what members see, what’s blocked vs. read-only, and the recovery path. [org-admin] [security]
  • Rename your org — slug rename, 6-month redirect window, webhook event, customer email. [org-admin]

When you’re ready to integrate Upwarden’s signal into your wider AppSec stack.

By role:

Operator-facing documentation for running and integrating Upwarden. Marketing positioning lives on the product site; this is the manual.