Dependency Firewall is currently limited to non-OCI package ecosystems — Maven, npm, PyPI, NuGet, Cargo, Go, RPM, and Composer. Docker upstream proxy registries are not supported because the firewall enforcement pipeline does not handle OCI-compliant artifact addressing (image references, manifest digests). For teams whose primary supply chain security concern is container images, this means the feature cannot be used for their most critical artifact type.

Compounding the issue, the official Dependency Firewall documentation references Docker and Helm as filterable types in the Violations dashboard, which creates a reasonable expectation that these types are covered — leading to confusion when the configuration toggle is nowhere to be found.

Current state

The Enable Dependency Firewall toggle does not appear for Docker upstream proxy registries at any scope. There is no workaround within HAR. The limitation is also not documented on the configuration page, so customers have no way to know upfront which registry types are supported.

Requested functionality

Extend Dependency Firewall support to Docker upstream proxy registries, with the same Block and Warn mode behavior available for existing supported types. OPA policies should be evaluable against Docker image references at manifest pull time through the upstream proxy.

As a related ask: a supported registry types table on the Dependency Firewall documentation page would prevent this confusion for future customers.

Business value

Container image security is one of the most cited motivations for adopting Dependency Firewall. Without Docker support, the feature does not address the use case that drives most of its adoption.