Upwarden documentation
Upwarden is a self-hosted dependency firewall that sits between your package managers and the public registries, stripping malicious and unanalyzed package versions before they reach your code — without breaking your build.
This index walks the customer journey linearly: Discover → Connect → First SAFE → Harden → Operate → Master. Each entry carries its primary personas inline so you can scan for the docs that match your role.
Discover — the model
Section titled “Discover — the model”Before you touch anything, here’s how Upwarden decides what to block, what to pass, and what to hold.
- Verdicts & the scanner — how Upwarden decides SAFE / BLOCKED / QUARANTINED.
[security] [dev] - Silent rollback — why floating ranges stay green even when a specific version is blocked.
[dev] [security] - Tenants, projects, API keys — the three-level access surface your CI topology maps onto.
[org-admin] [security] [devops] - CI runner attribution — three trust tiers on every audit row; what
actor_source = oidc_githubmeans and why it matters.[security] [org-admin] [devops]
Connect — point your CI at Upwarden
Section titled “Connect — point your CI at Upwarden”The first round-trip: a vk_ key, a registry URL, and one install command.
- Installation — stand up Upwarden or get the URL for your hosted instance.
[devops] - Create your first key — mint a project API key for a CI runner.
[org-admin] [devops] - Quickstart — one CI snippet per ecosystem (npm, PyPI, Cargo, NuGet, Maven, Go).
[dev] [devops]
First SAFE — confirm it’s working
Section titled “First SAFE — confirm it’s working”The “did anything actually happen” check.
- Verify it’s working — what a successful install looks like and how to read the audit log to confirm.
[dev] [devops]
Harden — set policy and tighten the perimeter
Section titled “Harden — set policy and tighten the perimeter”Once the proxy is in the path, decide what it enforces.
- Policy overrides — allowlists, denylists, per-tier defaults, and the typed-acknowledgement loosen flow on Org+.
[security] [org-admin] - Bring-your-own-scanner (BYOS) — wire your existing AppSec scanner into the verdict pipeline.
[security] [devops] - Sign-in and access control — magic links, MFA enforcement, IP allowlists.
[org-admin] [security] - Session duration (admin) — dashboard session lifetime knobs and audit posture.
[org-admin] [security] - Wire your CI for verified attribution — GitHub Actions OIDC tokens + trust bindings for verified per-workflow audit attribution.
[devops] [security] [org-admin]
Operate — the dashboard and the day-to-day
Section titled “Operate — the dashboard and the day-to-day”The pages you’ll spend the most time on once Upwarden is enforcing in production.
Dashboard surfaces
Section titled “Dashboard surfaces”The full map lives at Dashboard surfaces. The most-frequently-used pages:
- Audit log — investigate every install decision, membership change, and policy edit.
[security] [org-admin] - Packages search — look up a package’s verdict, allowlist / blocklist matches, and the recent audit fragment from one screen.
[security] [dev] - Policies and overrides — edit the org’s enforcement policy and, on Org+, deviate from tier defaults.
[security] [org-admin] - Members and teams — invite, role, suspend, team-scope.
[org-admin] [security] - Identity & SSO panel — bind Stytch, manage SAML / OIDC, claim domains, read JWKS.
[security] [devops] - Your account and step-up auth — your own profile, sessions, passkeys, the “Confirm it’s you” prompt.
[dev] [org-admin]
Non-UI operator tasks
Section titled “Non-UI operator tasks”- Querying the audit log — JSON-API patterns when the dashboard’s filters aren’t enough.
[security] [devops] - Troubleshooting — when an audit row points at a misconfiguration rather than a deliberate block.
[dev] [devops] - When your org is suspended — what members see, what’s blocked vs. read-only, and the recovery path.
[org-admin] [security] - Rename your org — slug rename, 6-month redirect window, webhook event, customer email.
[org-admin]
Master — depth and extension
Section titled “Master — depth and extension”When you’re ready to integrate Upwarden’s signal into your wider AppSec stack.
- Querying the audit log — repeated here because the same doc serves both Operate and Master readers.
[security] [devops] - Bring-your-own-scanner (BYOS) — callback shapes, idempotency, scanner timeouts.
[security] [devops] - OIDC trust bindings — admin API reference — full CRUD + reject-reason catalog for the verified-attribution surface.
[devops] [security]
Where you came from
Section titled “Where you came from”By role:
- A developer pointing your CI at an existing Upwarden → Quickstart → Verify it’s working → Troubleshooting.
- An operator standing up Upwarden → Installation → Create your first key → Dashboard surfaces.
- An integrator wiring SIEM, BYOS, or audit pipelines → Verdicts & the scanner → Querying the audit log → Bring-your-own-scanner.
What lives here
Section titled “What lives here”Operator-facing documentation for running and integrating Upwarden. Marketing positioning lives on the product site; this is the manual.