Thoughts on Datadog’s new Supply-Chain Firewall

Last month, Datadog announced an interesting and useful  new feature they call the Supply-Chain Firewall (SCFW). It offers a real-time scanning approach that identifies vulnerabilities as developers pull packages from public registries like npmjs. It highlights the broader challenge organizations face when securing their software supply chain: managing risk consistently and efficiently at scale.

Anything that helps developers choose better, more secure open source packages is a good thing.  That said, the Cloudsmith perspective on this would be that once you get beyond individual developers or small teams, it makes sense to create curated repositories - a proactive, centralized way to manage packages and enforce security policies. Let’s compare the two approaches.

What Datadog’s Supply-Chain Firewall Offers

Datadog’s SCFW intercepts and scans packages from public repositories in real time as developers pull them into their projects. This allows developers to get immediate feedback about vulnerabilities.

Key Benefits of SCFW:

• Real-Time Scanning: Developers are alerted about vulnerabilities as soon as they pull a package, reducing the risk of introducing issues further down the development pipeline.
• Pluggable Scanning Architecture: SCFW allows integration with different scanning engines, offering some flexibility for developers to tailor the tool to their needs.

SCFW focuses on individual package decisions during development. This works great at the individual developer level.  For larger organizations, you’re probably going to need a more scalable solution to supply chain security.  Here’s where just using SCSW would fall short in a larger organization -

1. No Persistent Package Management:SCFW focuses on scanning in real time rather than managing a persistent, curated list of approved packages. Without a centralized repository, decisions about which packages and vulnerabilities are acceptable must be made repeatedly, often by individual developers.

2. Inconsistent Security Decisions:Developers are tasked with deciding whether a vulnerability is acceptable. This can result in inconsistent decisions across teams - two developers may allow or block the same package based on personal judgment. For larger teams, this can become unmanageable without centralized oversight.

3. Lack of Policy Enforcement:SCFW lacks a policy engine to define and enforce consistent rules for what constitutes an acceptable package. Without a policy framework, decisions are made on a case-by-case basis, which can increase the risk of vulnerabilities slipping through.

4. Scalability Concerns:As teams and projects grow, real-time scanning could impact performance, particularly if a high volume of packages is being pulled. For organizations with complex pipelines, this may create bottlenecks.

5. Limited Package Format Support:Currently, SCFW supports only a limited set of package formats (e.g., npm). Modern software teams typically work across multiple formats - such as Docker, Maven, PyPI, and others - which requires broader support.

 The alternative to this is curated repositories. Rather than pulling directly from public sources, developers retrieve packages from trusted, centralized repositories that are managed and approved by their organization’s security team. Why is that better?

1. Centralized and Persistent Security Control:With curated repositories, security teams or DevSecOps professionals define and maintain a trusted list of approved packages. Developers no longer need to assess vulnerabilities individually - every package pulled is already vetted, reducing risk and eliminating inconsistent decision-making.

2. Policy-Driven Automation:Cloudsmith supports policy enforcement that automates decision-making about which packages are allowed. Security teams can set clear rules, such as blocking known vulnerabilities or restricting certain versions, and those policies are consistently applied across the organization.

3. Scalability at Enterprise Levels:Cloudsmith is designed to scale seamlessly. Curated repositories ensure fast, efficient access without performance bottlenecks.

4. Support for Multiple Package Formats:Cloudsmith (and other platforms like ours) supports a wide range of formats - including npm, Docker, Maven, PyPI, NuGet, and more - ensuring all teams can centralize their artifacts and manage security consistently, regardless of the technologies they use.

1. Reduced Developer Burden:By shifting security decisions to a centralized repository and automated policies, Cloudsmith removes the need for developers to manually assess vulnerabilities. This allows teams to focus on building software, confident that they’re pulling packages from a secure, trusted source.

Real-time vulnerability scanning, like Datadog’s SCFW, is an innovative approach for identifying risks early in the development process. We love seeing this kind of innovation to solve what are becoming increasing urgent issues in securing the software supply chain.  That said, for larger organizations, it’s not quite a complete solution.