Livable allowlisting for developers
Workshop's Package Rules let you automatically allow or block software from popular package managers as it's released. Keep your developers happy by automatically approving software from Homebrew, npm, GitHub, and more.
The problem
The allowlist maintenance problem
Hash-based allowlisting falls apart the moment a package updates. Multiply by every ecosystem and every developer and the work never stops.
Developer needs
Teams rely on a steady stream of tools from public ecosystems, and those ecosystems update constantly.
- Homebrew: wget, jq, git, and hundreds more, sometimes shipping multiple times per day
- npm: typescript, eslint, and the rest of the JavaScript and TypeScript stack
- Cargo: ripgrep, bat, and other Rust packages from crates.io
- VS Code extensions used across Cursor and other VS Code forks
Security challenge
Every release ships a new binary, which means a new hash. Allowlisting on hashes alone turns routine updates into security work.
- Hashes change with every release
- Manual review of every version
- Bottleneck for routine updates
The old way
Without Package Rules
Hours to days of delay, multiplied across your fleet.
Developer updates
An engineer runs brew upgrade or npm install and pulls in the latest version of a tool.
Santa blocks
Santa sees a new, unknown hash and blocks execution. The developer is dead in the water.
Ticket filed
The developer files an approval ticket and waits, often with no idea how long it will take.
Manual approval
Security manually reviews and approves the new hash, then pushes the rule to the fleet.
Repeat forever
Every package, every version, every developer. The same loop, on every routine update.
The new way
Package Rules: set and forget
Point Workshop at the ecosystems your team uses, and allowlists stay current on their own.
Add a Package Rule
Tell Workshop which packages your team uses across each ecosystem. Pin versions, allow latest, or filter by version pattern.
Workshop fetches signing identity
Workshop pulls Team ID, Signing ID, and CDHash from each release. We unpack zip files, disk images, and tarballs to extract identifiers from the binaries inside.
Auto-syncs and audits
When a package updates, Workshop fetches the new identifiers and pushes the rule to your fleet. Every sync is logged in the Events view.
Ecosystems
Supported ecosystems
Many package managers distribute source code, but plenty also ship prebuilt binaries that trip up allowlisting the moment a new version lands. Package Rules handles both, across every ecosystem Workshop supports.
Homebrew
Formulas and casks. The full package manager, including bottles, app bundles, and command line tools.
npm
JavaScript and TypeScript packages from the npm registry, including packages that ship prebuilt native binaries.
Cargo
Rust packages from crates.io. Workshop fetches releases and extracts identifiers as new versions are published.
GitHub Releases
Any public GitHub release in owner/repo format. Workshop watches the release feed and pulls in new artifacts on schedule.
VS Code Extensions
Extensions from the Open VSX Registry, used by Cursor and other VS Code forks. Keep IDE plugins approved without manual triage.
Terraform Providers
HashiCorp and community providers from the Terraform registry, with automatic identifier extraction across versions.
Bazel
Build system dependencies and rulesets, so your build tooling stays approved as it evolves.
Arbitrary URLs
Point to any URL serving signed binaries. Workshop scans zip files, disk images, and tarballs to extract identifiers automatically.
Visibility
Full visibility into every package rule
Every sync, identifier update, and applied rule is logged with package, version, identifier type, and timestamp. Review them in Workshop's Events view alongside the rest of your fleet activity.
- Package, version, identifier type, and timestamp on every event
- Sync runs, identifier updates, and applied rules all logged
- Filter and search alongside every other Workshop event
Package Rules are part of Workshop
Pair Package Rules with the rest of Workshop to cover the full software lifecycle.
Approval workflows
Self-service approvals, designated approvers, and social voting so requests resolve in minutes, not days.
Risk engine
Automated risk assessment for every binary. Approvers make faster, safer decisions when every request is pre-screened.
AI Chat
Ask Workshop anything about your fleet in plain English. Investigate incidents and answer compliance questions in seconds.