Skip to main content

Overview

Package and manifest policies help teams govern dependency usage. They use allow and deny rules scoped to the workspace, organizations, repositories, or applications. Package policies evaluate package and package version data. Manifest policies evaluate manifest file metadata.

Package allow and deny policies

Package policies support a default action and optional package rules.
SettingValuesMeaning
Default actionallow, deny, reviewAction used when no package rule or decision applies
Dependency scopedirect, transitive, bothWhich dependency relationships the policy applies to
Rule actionallow, denyAction for a matching package rule
Package rules can match on:
  • Package URL (purl)
  • Package name
  • Namespace
  • Package type
  • Version range
Rules can also set an enforcement mode for their scope.

Package decisions

Package decisions are explicit package-level decisions for a policy. Supported decision values are:
DecisionMeaning
acceptedAccept the package for the selected policy scope
rejectedReject the package for the selected policy scope
Package decisions can include a version range and reason.

Manifest allow and deny policies

Manifest policies support allow and deny rules for dependency files.
SettingValuesMeaning
Default actionallow, denyAction used when no manifest rule applies
Rule actionallow, denyAction for a matching manifest rule
Manifest rules can match on:
  • Manifest type
  • Language
  • Manifest file path
  • Lock file path
Manual review is available for package policies through the review default action. Manifest policies support allow and deny.

Scopes

Package and manifest rules can be scoped to:
  • Workspace
  • Organization
  • Repository
  • Application
More specific policy scopes can override broader policy defaults.