Create Policies
Curation is based on a set of defined policies. To create a new curation policy, the Curation Admin must choose the remote repositories to which the policy applies, the policy condition (only 1 condition can be defined for each policy), and the action to be performed when the policy is violated. In addition, any exceptions to the policy can be defined in a waiver.
This is a basic procedure outlining the steps to create a policy. In the How-Tos section we provide more scenario specific procedures for creating policies.
Do the following:
- Go to Administration > Curation > Policies Management.
- Click Create Policy and follow the wizard:
- Step 1: Enter a name for the policy (max 50 characters, no special symbols).
- Step 2: Define the scope:
- Organization-wide: Applies to all curated repositories. You can optionally exclude specific repositories or groups.
- Specific remote repositories: Select one or more curated remote repositories or package types to enforce the policy on.
- Selected groups: Enforce the policy only on selected JFrog Platform Access groups. Requires Enforce policy on cached packages to be enabled.
- Step 3: Choose a condition from the predefined or custom options.
For a full detailed list of the conditions, see here.
Examples:- Block based on CVSS score thresholds.
- Block non-official Docker images.
- Block packages not labeled as "allowed."
- Step 4 (optional): Add waivers to exclude specific packages or versions.
- Step 5: Define the action (Block or Dry Run) and configure email notifications.
- Step 6 (optional): Enable Share with Federation to propagate this policy to all connected follower Instances via Curation Federation. This option is available only for policies with scope All Curated or Package Types. Share with Federation requires Curation Federation to be enabled on your platform.
Learn more here.
Policy Scope Options
When creating a policy, you choose how broadly or narrowly it should be applied. The available scope options are:
| Scope | Description |
|---|---|
| Organization-wide | Enforces the policy across all current and future curated repositories. You can optionally exclude specific repositories or groups. |
| Specific remote repositories | Enforces the policy only on the remote repositories you select. |
| Repositories package type | Enforces the policy on all repositories matching the selected package types (e.g., npm, Maven, PyPI). |
| Selected groups | Enforces the policy based on the requesting user's JFrog Platform Access group membership. Only users belonging to the selected groups are subject to the policy. |
Apply Policy to a Group of Users
Curation supports scoping policies by JFrog Platform Access Groups, enabling organizations to apply different policy behaviors to different teams or user segments even when they share the same repositories.
Group-based policy scope requires Enforce policy on cached packages to be enabled.
Navigate to Administration > Curation > Settings and enable Curation for Cached Packages before using this scope.
How It Works
When a user requests to download a package, Curation resolves the user's Access group memberships and evaluates whether the policy applies:
- Selected groups (include): The policy is enforced only for users who belong to at least one of the selected groups. Users outside those groups are not affected.
- Excluded groups: When using the Organization-wide scope, you can exclude specific groups. Users belonging to an excluded group are exempt from the policy, even if it would otherwise apply.
If a user belongs to both an included and an excluded group, the exclusion takes precedence and the policy is not enforced for that user.
When to Use Group-Based Scope
Group-based scoping is useful when a single repository serves multiple teams with different security requirements. For example:
| Group | Policy behavior |
|---|---|
| Dev Team A | Excluded from the policy — allowed to download packages meeting internal maturity criteria |
| Dev Team B | Blocked if the package contains a critical CVE |
| Compliance Team | Restricted to approved package versions only |
Configuration
- Go to Administration > Curation > Policies Management.
- Click Create Policy.
- In the Scope step, select Selected groups.
- Choose one or more Access groups from the group selection modal.
- Continue with the remaining policy wizard steps (condition, waivers, actions).
To exclude groups from an Organization-wide policy:
- In the Scope step, select Organization-wide.
- Click Exclude Groups and select the groups to exempt.
Limitation for NPM Packages When using Compliant Version together with group-based policy enforcement and cached package blocking, cache behavior may cause multiple groups to receive the same compliant version that was retrieved by the first user. Curation will still evaluate the download request and block it if it conflicts with the policies of the requesting group.
Updated 1 day ago