Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. AppTrust

Lifecycle Policies

Lifecycle policies in AppTrust are governance controls that define the conditions, rules, and enforcement actions applied to application versions at specific stages of the software development lifecycle (SDLC). Each policy is evaluated automatically when an application version reaches a defined lifecycle gate—such as Commit, QA Entry, or Release—to determine whether the version can proceed to the next stage.

Lifecycle policies are designed to ensure that software released through the SDLC meets your organization’s requirements for security, quality, and compliance. By integrating these policies directly into the development process, AppTrust provides consistent, evidence-based control across all projects and applications.

Each policy includes one or more rules that specify:

  • Conditions to check (for example, the existence of vulnerabilities, the use of a prohibited license, or the absence of required evidence)
  • Actions to take when those conditions are met (for example, Fail to block the promotion or Warning to allow it with a recorded violation)

Policies can be defined at either the project level, to apply to all applications under a project, or at the application level, to apply to a specific application only. This flexibility allows teams to define broad organizational policies as well as targeted controls for critical applications.

Relationship to Evidence

Evidence plays a central role in lifecycle policy enforcement. Many rules rely on the presence or absence of specific evidence—such as a signed SBOM, build provenance, or change approval—to determine compliance. When an application version reaches a policy gate, AppTrust verifies that the required evidence is attached to the evaluated resource. If the required evidence is missing, a policy violation is triggered. If all required evidence is present and verified, the application version passes the gate. Together, lifecycle policies and evidence create an auditable, automated framework for validating trust, security, and compliance throughout the SDLC.

Read about how to view Evidence.

This section describes how to create and manage lifecycle policies in AppTrust, including:

Updated 20 days ago