On-Demand Curation
The On-Demand Curation feature extends JFrog Curation to secure packages retrieved from remote repositories that are not covered by the JFrog Public Catalog. When developers request packages from such repositories, Curation applies your organization's existing security policies — evaluating vulnerabilities, licenses, immaturity, and malicious code — for immediate enforcement.
This ensures consistent governance across a broader range of components, including internal, private, or ecosystem-specific repositories that are not yet cataloged. Supported package types
Important: Docker repositories are now automatically set to On-Demand, so all components are immediately scanned for CVEs and license compliance.
Impact:
- Policies apply automatically: Existing security and license policies are enforced.
- Potential blocking: Non-compliant components may be blocked—review your Curation policies to avoid disruption.
How It Works
The on-demand process begins when a developer requests a package from a remote repository proxied through Artifactory:
- The developer's build tool requests a package from a remote repository.
- JFrog Curation intercepts the request.
- If the package is not in the Public Catalog, it is processed through On-Demand Curation.
- Curation evaluates vulnerabilities, licenses, malicious indicators, and immaturity before releasing the package.
- The results are stored in the On-Demand Catalog for future requests.
First Request Behavior
When a package is requested for the very first time, the system performs a comprehensive, real-time security scan. This initial scan may take longer than usual. During this period, a developer may see a "Pending Catalog Update" status or a temporary block.
After the analysis is complete, the developer simply requests the package again. The system will then have the full security information and will allow or block the download based on your policies. All future requests for this package by anyone in the organization will be instantaneous, as the security data is now stored in the On-Demand Catalog.
Audit Results
When a user tries to download a package, three results are possible:
| Result | Description |
|---|---|
| Policy Violation | Package download was blocked due to a policy violation |
| No Policy Violation | Package download was approved |
| Pending Catalog Update | Package does not yet exist in the catalog. The system processes the package and returns a policy decision on the next request |
Prerequisites
Saas
- Curation/Xray version 3.143
- Catalog Ver 1.31.3
- Artifactory Version 7.148 SH 7.146
Self-Hosted
SaaS Requirements
| Component | Minimum Version |
|---|---|
| Curation / Xray | 3.140.0 |
| Catalog | 1.31.3 |
| Artifactory | 7.137.0 |
| Valkey | Required |
Self-Hosted Requirements
Contact JFrog for self-hosted version requirements.
Configuration Requirements
- The remote repository in Artifactory must be configured for both Curation and Xray indexing. This is done automatically when you curate the repository in Curation settings, but it is recommended to verify indexing is enabled in advance.
- In Administration > Repositories, ensure the repository has Curation enabled.
- Curation for Cached Packages must be enabled first — the On-Demand feature relies on the Block-from-Cache mechanism. See Block Downloads from Cached Remote Repositories.
Enabling On-Demand Curation
Step 1: Enable Curation for Cached Packages
On-Demand Curation requires the Block-from-Cache feature to be active.
- Navigate to Administration > Curation > General.
- Under Advanced Coverage, enable Curation for Cached Packages.
Step 2: Enable On-Demand Curation
- In the same Advanced Coverage section, enable Enable Curation On-Demand for On-Demand Packages in the JFrog Catalog.
This toggle enables visibility for on-demand repositories — all repositories that belong to a supported ecosystem (e.g., Maven) but are not yet supported in the Public Catalog. To enforce policies, you must also enable Curation for specific package types or repositories. Disabling this toggle disconnects all on-demand repositories.
Step 3: Enable Per Package Type or Per Repository
After enabling the global On-Demand toggle, you need to activate it for specific package types or individual repositories:
- By package type: Connecting a package type enables curation for all current and future on-demand repositories of that ecosystem.
- By individual repository: You can connect or disconnect specific repositories from the inner settings page. Future repositories for the package type remain auto-connectable.
When you activate On-Demand, Docker repositories that were already enabled for Curation will automatically receive the On-Demand tag (because Docker supports CVE and license policies). If you have existing Docker policies or organization-wide policies, they will immediately apply to these repositories.
Policy Enforcement
The following JFrog Curation policies apply to on-demand packages:
| Policy Type | Supported |
|---|---|
| Vulnerabilities | Yes — packages with known vulnerabilities are blocked or flagged |
| Licenses | Yes — license compliance policies are enforced |
| Malicious Packages | Yes — packages identified as malicious are blocked |
| Immaturity | Yes — immature packages are evaluated against policies |
Some conditions available for standard curation (such as OpenSSF score) are not supported in On-Demand Curation.
Labels and Waivers
- Labels — On-demand packages can be tagged with labels and used in governance policies, just like Public Catalog packages.
- Waivers — Exceptions may be granted for on-demand packages with proper justification, allowing temporary policy bypass.
On-Demand Catalog
The On-Demand Catalog is your organization's private catalog, storing results for repositories hosted in your Artifactory instance that are internal, sensitive, or private.
Capabilities
- Vulnerability, license, and maliciousness results are stored in a dedicated On-Demand Catalog, accessible via UI and API.
- Supports non-public repositories within supported ecosystems.
- Integrated with Docker — on-demand scanning is available for Docker containers and images, with vulnerability and license insights visible in the Docker UI.
UI Behavior
- Search allows discovery of on-demand packages, clearly marked with an "On-Demand" tag.
- Repository lists and policy results show which entities are handled via On-Demand Curation.
- The "See All" page displays results from both the Public Catalog and the On-Demand Catalog in separate tabs.
- If a package appears in both the Public and On-Demand Catalogs, users see a notification with a link to the alternate record.
Indexing
- On-demand scans can only be performed on repositories that have been indexed.
- New packages downloaded using Curation On-Demand are automatically indexed.
Using the JFrog CLI
For the best developer experience with On-Demand Curation, use the JFrog CLI with the jf ca (curation-audit) command.
For Docker, use the --include-cached-packages flag to audit cached packages. This is required when using Curation On-Demand, as packages are cached:
Jf ca --image <image_name> --include-cached-packages=trueOn-Demand GraphQL API
On-demand packages can also be queried via the GraphQL API at a different endpoint than the Public Catalog:
Endpoint: POST /onemodel/api/v1/graphql
Example Request
curl -X POST \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer {ADMIN_TOKEN}' \
-d '{"query":"{ customPackages { getPackageLocation(url: \"docker-remote-cache/library/redis/sha256__<digest>/manifest.json\") { artifacts(first:1) { edges { node { version { version customPackage { name type ecosystem } legalInfo { licenseInfo { expression } } customSecurityInfo { maliciousnessInfo { knownToBeMalicious } vulnerabilitiesConnection(first: 10) { totalCount edges { node { name severity cvss { preferredBaseScore } } } } } } } } } } } }","variables":{}}' \
'https://<JFROG_URL>/onemodel/api/v1/graphql/'An admin token is required for all On-Demand Catalog GraphQL requests.
Audit and Compliance
All on-demand curation activity is logged for tracking and compliance. The audit log captures:
- Package requests and their origin (external source, cache, or CLI simulation)
- Policy decisions (blocked, approved, or pending)
- Enforcement outcomes with policy and condition details
Audit events for on-demand packages appear alongside standard curation audit events in the Curated Packages Audit page.
Important Caveats and Limitations
- First-time scan delay: The initial scan for an uncataloged package is comprehensive and may take a few moments. Subsequent requests are instantaneous.
- Timeout behavior: If the curation inspection reaches a timeout, the package may be blocked on the first attempt. The developer should retry after the processing completes.
- OpenSSF score: Not supported for on-demand packages.
- Docker repositories: When On-Demand is activated, existing Docker repositories that were already curated automatically receive the On-Demand tag. Existing Docker policies apply immediately.
- New ecosystems: Ecosystems not currently supported in the Public Catalog can be supported upon request and prioritization. Contact JFrog Support for details.
Updated 2 days ago