Overview
Package and manifest policies help teams govern dependency usage. They use allow and deny rules scoped to the workspace, organizations, repositories, or applications. Package policies evaluate package and package version data. Manifest policies evaluate manifest file metadata.Package allow and deny policies
Package policies support a default action and optional package rules.| Setting | Values | Meaning |
|---|---|---|
| Default action | allow, deny, review | Action used when no package rule or decision applies |
| Dependency scope | direct, transitive, both | Which dependency relationships the policy applies to |
| Rule action | allow, deny | Action for a matching package rule |
- Package URL (
purl) - Package name
- Namespace
- Package type
- Version range
Package decisions
Package decisions are explicit package-level decisions for a policy. Supported decision values are:| Decision | Meaning |
|---|---|
accepted | Accept the package for the selected policy scope |
rejected | Reject the package for the selected policy scope |
Manifest allow and deny policies
Manifest policies support allow and deny rules for dependency files.| Setting | Values | Meaning |
|---|---|---|
| Default action | allow, deny | Action used when no manifest rule applies |
| Rule action | allow, deny | Action for a matching manifest rule |
- Manifest type
- Language
- Manifest file path
- Lock file path
review default action. Manifest policies support allow and deny.
Scopes
Package and manifest rules can be scoped to:- Workspace
- Organization
- Repository
- Application