Supply-chain control, on your terms.
Upwarden gives security and platform teams governance over every dependency that enters the org. Run it managed, self-hosted, or as a dedicated, isolated deployment for government and regulated environments — with SSO, full audit and explainable verdicts either way.
Governance without telemetry
Cloud-only tools require your dependency graph to leave your network to do their job. Upwarden is a registry-replacement reverse proxy you run yourself — so control and visibility never come at the cost of sending package names, machine IDs or org names to anyone.
- Runs inside your perimeter. Self-hosted on your infrastructure — nothing about your dependencies needs to egress.
- Zero telemetry. No package names, machine identifiers or org names leave your network. It's a core design principle, not a setting.
- Explainable verdicts. Every block decision carries a reason your team can audit and defend.
- Build-safe rollout. Silent rollback means you can deploy org-wide without breaking a single pipeline.
Three deployment models, one firewall
Choose the operating model that fits your risk profile — from a managed cloud to a fully isolated government deployment. The product and its verdicts are identical; only who runs it and where the data sits change.
Managed — Upwarden Cloud
We run it; you point your package managers at it. Multi-tenant with strict per-tenant isolation at the database row level. Upwarden sees package coordinates and the artifacts it serves — never your source. Your audit log is yours to query, and we never sell or share it.
Dedicated & isolated
For government and regulated buyers: your own isolated deployment, separate from the shared cloud, running in the infrastructure you operate so your data stays in your environment — plus cross-org SSO, IP allowlist and infinite audit retention. Fully air-gapped operation is on the roadmap.
Self-hosted
Run it entirely inside your perimeter with zero telemetry — nothing about your dependencies leaves your network. The same product, your infrastructure, full sovereignty.
- Cross-org SSO (SAML / OIDC). Federate identity across every team and tenant under one enterprise account.
- IP allowlist & org-wide MFA. Lock the dashboard and API to known networks and require MFA across the organisation.
- Infinite audit retention + export. Keep the complete record as long as compliance requires — queryable, and exportable for your SOC.
- Read-only support access. When our team assists, impersonation is hard-gated read-only — our staff can look to help, never act as you, and every access is audited.
- SLA-backed support. Response commitments and a direct line for incidents. See pricing for what sits on each tier.
Built for regulated, air-gapped environments
The controls security and platform teams need to make a dependency firewall a system of record — not just a gate.
Self-hosted shipped · air-gapped roadmap
Run entirely within your network with no external egress. Fully self-contained, air-gapped operation is on the enterprise roadmap.
RBAC & step-up shipped · policy-as-code roadmap
Role-based access today: a 35-capability permission system with per-tenant role overrides and step-up re-auth on sensitive operations. Programmable user-defined roles and full policy-as-code (rules in version control) are in active development.
Allow-listing & cooldown
Override specific block decisions with an audit trail, and refuse versions younger than N days (the cooldown window) to dodge freshly-published malware. Available on Team and up.
SBOM & provenance shipped
Generate per-org CycloneDX 1.5 and SPDX 2.3 SBOMs from the served set today. Scan verdicts ship signed Sigstore attestations (cosign / Fulcio / Rekor), and provenance verification is enforced at scan time. Scheduled SBOM exports and an archive are on the roadmap.
Audit trail & SIEM export shipped
A complete, queryable record of every manifest served, block, quarantine and rewrite — with actor identity (OIDC-verified where CI attribution is configured) and structured envelopes. Export to your SIEM as CSV, JSON or NDJSON at Org+, or native OCSF at Enterprise. Audit streaming to webhooks and stream targets (gzipped JSONL) is available at Org+; CEF/OCSF stream formats and a self-serve config UI are on the roadmap.
Bring your own scanner
Connect commercial or in-house scanners through a JWT-signed callback API. Their verdicts fuse into Upwarden's — detection as a platform, not a black box.
On maturity, in plain terms. The proxy core, manifest rewriting, audit trail + OCSF/CSV/JSON export, SBOM generation, signed Sigstore attestations + provenance verification, SSO, IP allowlist and the vector scanner are built and tested across all seven content-scanned ecosystems — npm, PyPI, crates.io, Go, Maven (incl. bytecode analysis), NuGet and RubyGems. A few capabilities above — air-gapped operation, the full policy-as-code / RBAC engine, and a self-serve SIEM-streaming config UI (plus CEF/OCSF stream formats) — remain on the near-term roadmap, marked accordingly. Tell us your requirements in a demo and we'll be precise about what's available today versus on the way.
From low-ops self-host to air-gapped governance
Small orgs
Self-host in minutes for shared protection and low ops. One firewall in front of every team's installs, no per-developer setup.
Small enterprises
Governance, audit, SSO and SBOM — inside your perimeter. Make dependency intake a controlled, reviewable process.
Large enterprises & government
Dedicated, isolated deployments with cross-org SSO, IP allowlist and infinite audit retention. SIEM-ready today, with fully air-gapped operation on the roadmap for regulated and government environments a cloud-only tool can't serve.
Govern your supply chain, your way
Tell us about your environment — managed, self-hosted, regulated, air-gapped or government — and we'll map Upwarden to it.