Skip to content

Phoenix Firewall v0.2.0

Choose a tag to compare

@franksec42 franksec42 released this 01 Jun 18:47

First public release of the Phoenix Security Blue Shield Firewall — an intelligence-driven supply chain firewall that intercepts package manager
traffic and blocks malicious packages before they execute.


What's included

MITM Proxy — sits transparently between your package manager and the registry. Intercepts npm, pip, yarn, pnpm, uv, and poetry traffic, evaluates
every package against the Phoenix Security MPI engine, and returns a 403 before installation if blocked.

Userland shim mode (--ci) — wraps package manager commands with no root or MDM required. Works on developer machines and CI runners alike.

14-condition rules engine — per-tenant policy rules with AND/OR logic and action precedence: block > require_approval > warn > audit > allow.
Conditions include MPI confidence score, signal IDs, threat type, package age, MITRE techniques, license category, and more.

LaunchAgent / systemd-user / schtasks — optional persistent background service installation for macOS, Linux, and Windows without system
privileges.

Local ED25519 bypass tokens — signed offline exception tokens for air-gapped or controlled environments.

Offline / fallback feed mode — --fallback-feed for air-gapped environments using a locally cached blocklist.

CI/CD integrations — GitHub Actions, GitLab CI, Jenkins, Azure DevOps, Bitbucket Pipelines, and a generic installer.

Sigstore keyless signing — checksums.txt is signed via Sigstore (Fulcio + Rekor) using this workflow's GitHub OIDC identity. No secrets, no keys
to rotate.


Installation

macOS / Linux
curl -sSfL https://github.com/Security-Phoenix-demo/blue-shield-firewall/releases/download/v0.1.0/phoenix-firewall-$(uname -s | tr A-Z
a-z)-$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/')
-o ~/.local/bin/phoenix-firewall
chmod +x ~/.local/bin/phoenix-firewall
phoenix-firewall --version

Windows — download phoenix-firewall-windows-amd64.exe from the assets below, place it on your PATH.

Get started
export PHOENIX_API_KEY=phx_...
eval $(phoenix-firewall --api-key $PHOENIX_API_KEY --ci)
npm install # protected

Get your API key at phxintel.security.


Verify integrity

sha256sum -c checksums-sha256.txt

Sigstore verification:
cosign verify-blob checksums-sha256.txt
--signature checksums-sha256.txt.sig
--certificate checksums-sha256.txt.pem
--certificate-oidc-issuer https://token.actions.githubusercontent.com
--certificate-identity-regexp "https://github.com/Security-Phoenix-demo/blue-shield-firewall"


Note on code signing

Binaries in this release are unsigned. Apple notarization and Windows EV code signing are pending procurement.

  • macOS: if Gatekeeper blocks the binary, run xattr -d com.apple.quarantine phoenix-firewall after download, or allow it via System Settings →
    Privacy & Security.
  • Windows: click More info → Run anyway if SmartScreen warns on first launch.

Integrity can be independently verified via the SHA-256 checksums and Sigstore signature above.