Part 1: Curation Rollout Overview
This part of the workshop introduces the recommended rollout approach for JFrog Curation.
Curation is designed to control which open-source packages can be used in your organization. Because it can actively block package requests, it should be introduced gradually and deliberately.
This workshop follows a phased rollout model that allows you to gain confidence and visibility before applying broad enforcement.
How Curation works at a high level
Curation evaluates package requests during dependency resolution. When a request matches a defined policy condition, Curation can take action before the package is downloaded or cached.
Depending on the policy configuration, Curation can:
- Block a package request
- Allow the request while recording a violation
- Generate audit events for visibility
For a deeper explanation of how Curation fits into the software supply chain, see:
Why a phased rollout is recommended
Introducing blocking policies without preparation can disrupt development workflows.
A phased rollout allows you to:
- Start with low-risk, high-confidence controls
- Observe real usage patterns before enforcing broadly
- Identify false positives and edge cases
- Build trust with development teams
This approach aligns with how JFrog Customer Success teams roll out Curation in production environments.
The rollout phases used in this workshop
This workshop follows these phases:
- Start by blocking malicious packages
- Evaluate additional policies using dry run mode
- Apply organization-wide blocking for selected policies
- Introduce scoped and project-level policies
- Operate and monitor Curation as part of daily security operations
When to move on
Once you are familiar with the rollout model, continue to the next part to prepare your environment.
Proceed to Part 2: Prepare for Curation Rollout
Updated 3 months ago