JFrog · Schema

JFrog Curation Policy

Represents a curation policy in JFrog Curation that automatically vets and blocks malicious, vulnerable, or risky open-source packages before they enter the development environment. Curation acts as a gateway between public package registries and internal repositories.

ArtifactoryCI/CDContainer RegistryDevOpsMLOpsPackage ManagementSecuritySoftware Supply Chain

Properties

Name Type Description
policy_name string Unique name identifying the curation policy
description string Human-readable description of the policy purpose
enabled boolean Whether the policy is actively enforced
policy_type string Type of curation policy defining its behavior
repositories array Remote repository keys this policy applies to
package_types array Package ecosystem types this policy applies to
conditions object Conditions that trigger the policy action
actions object Actions taken when policy conditions are met
created string Policy creation timestamp
modified string Last modification timestamp
View JSON Schema on GitHub

JSON Schema

jfrog-curation-policy-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://jfrog.com/schemas/curation-policy",
  "title": "JFrog Curation Policy",
  "description": "Represents a curation policy in JFrog Curation that automatically vets and blocks malicious, vulnerable, or risky open-source packages before they enter the development environment. Curation acts as a gateway between public package registries and internal repositories.",
  "type": "object",
  "properties": {
    "policy_name": {
      "type": "string",
      "description": "Unique name identifying the curation policy",
      "examples": [
        "block-critical-vulnerabilities",
        "require-license-approval"
      ]
    },
    "description": {
      "type": "string",
      "description": "Human-readable description of the policy purpose"
    },
    "enabled": {
      "type": "boolean",
      "description": "Whether the policy is actively enforced",
      "default": true
    },
    "policy_type": {
      "type": "string",
      "description": "Type of curation policy defining its behavior",
      "enum": [
        "block_malicious_packages",
        "block_packages_with_vulnerabilities",
        "block_packages_without_license",
        "block_packages_by_name",
        "block_packages_by_age",
        "allow_only_approved_packages",
        "custom"
      ]
    },
    "repositories": {
      "type": "array",
      "description": "Remote repository keys this policy applies to",
      "items": {
        "type": "string"
      }
    },
    "package_types": {
      "type": "array",
      "description": "Package ecosystem types this policy applies to",
      "items": {
        "type": "string",
        "enum": [
          "npm",
          "maven",
          "pypi",
          "docker",
          "go",
          "nuget",
          "gems",
          "cargo",
          "conda",
          "composer",
          "helm"
        ]
      }
    },
    "conditions": {
      "type": "object",
      "description": "Conditions that trigger the policy action",
      "properties": {
        "min_severity": {
          "type": "string",
          "description": "Minimum vulnerability severity to trigger blocking",
          "enum": [
            "Low",
            "Medium",
            "High",
            "Critical"
          ]
        },
        "max_age_days": {
          "type": "integer",
          "description": "Maximum package age in days (for age-based blocking)",
          "minimum": 1
        },
        "banned_package_names": {
          "type": "array",
          "description": "Specific package names to block",
          "items": {
            "type": "string"
          }
        },
        "banned_licenses": {
          "type": "array",
          "description": "License types to block",
          "items": {
            "type": "string"
          }
        },
        "approved_packages": {
          "type": "array",
          "description": "Explicitly approved packages (for allow-list policies)",
          "items": {
            "type": "object",
            "properties": {
              "name": {
                "type": "string"
              },
              "version": {
                "type": "string"
              }
            },
            "required": [
              "name"
            ]
          }
        }
      }
    },
    "actions": {
      "type": "object",
      "description": "Actions taken when policy conditions are met",
      "properties": {
        "block": {
          "type": "boolean",
          "description": "Whether to block the package download"
        },
        "notify": {
          "type": "boolean",
          "description": "Whether to send notifications"
        },
        "notify_emails": {
          "type": "array",
          "description": "Email addresses to notify",
          "items": {
            "type": "string",
            "format": "email"
          }
        },
        "custom_message": {
          "type": "string",
          "description": "Custom message returned to the user when a package is blocked"
        }
      }
    },
    "created": {
      "type": "string",
      "format": "date-time",
      "description": "Policy creation timestamp"
    },
    "modified": {
      "type": "string",
      "format": "date-time",
      "description": "Last modification timestamp"
    }
  },
  "required": [
    "policy_name",
    "policy_type"
  ]
}