Homebrew
Homebrew is firewalled through its API-mode client: the formula API and bottle artifacts are served through the proxy, and bottle downloads are gated so a blocked bottle cannot be fetched.
- Proxy URL:
https://packages.vulnetix.com/homebrew/api(API) andhttps://packages.vulnetix.com/homebrew-bottle(bottles) - Plan: Pro
- Enforcement: Gate — the formula API is proxied; a blocked bottle download returns a policy status.
Getting started
vulnetix package-firewall homebrew
This resolves your organization credentials, writes them to ~/.netrc, and writes a shell env file to ~/.config/vulnetix/package-firewall/homebrew.env. Homebrew reads these settings from environment variables, so source the file to activate it:
source ~/.config/vulnetix/package-firewall/homebrew.env
Add that source line to your shell profile (~/.zshrc, ~/.bashrc, …) to persist it. Re-run the command any time; it updates the file in place.
Flags: --proxy-url (default https://packages.vulnetix.com), --base-url (VDB API), --dry-run to preview without writing.
Configuration
~/.config/vulnetix/package-firewall/homebrew.env:
export HOMEBREW_API_DOMAIN="https://YOUR_ORG_UUID:YOUR_API_KEY@packages.vulnetix.com/homebrew/api"
export HOMEBREW_ARTIFACT_DOMAIN="https://YOUR_ORG_UUID:YOUR_API_KEY@packages.vulnetix.com/homebrew-bottle"
export HOMEBREW_ARTIFACT_DOMAIN_NO_FALLBACK="1"
HOMEBREW_ARTIFACT_DOMAIN_NO_FALLBACK=1 is required: without it Homebrew falls back to ghcr.io when a bottle is blocked, bypassing the firewall’s bottle gate.
Use it
brew install wget
Verify the firewall is active:
brew config | grep HOMEBREW_API_DOMAIN
Block responses & exit codes
A blocked package returns a semantic HTTP status with a JSON body — 423 malware, 426 vulnerable (upgrade), 425 cooldown, 428 bad actor, 422 end-of-life, 402 plan not entitled. A blocked bottle download returns the policy status; with NO_FALLBACK=1 set, Homebrew does not silently fall back to ghcr.io. See Block responses & exit codes for the full table. The vulnetix package-firewall homebrew command exits 0 on success and 1 on failure.
Configure policies
Thresholds (CVSS/EPSS/CESS), block toggles (malware, KEV, weaponized, …), and the release cooldown window are set per organization — in the Vulnetix console or with the CLI (vulnetix config set package-firewall). See Configuring policies.
Troubleshooting
- The env vars must be loaded into the shell that runs
brew—sourcethe env file or add it to your shell profile / CI environment. - Keep
HOMEBREW_ARTIFACT_DOMAIN_NO_FALLBACK=1; removing it lets Homebrew bypass a blocked bottle viaghcr.io. - Stale metadata:
brew updatere-fetches the formula API through the firewall. - Remove it later with
vulnetix package-firewall uninstall homebrew. - See Troubleshooting for shared auth, shell, and cache guidance, and
vulnetix auth statusto confirm what is configured.