> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Package and manifest policies

> Use allow and deny policies to govern packages, package versions, and manifests.

## Overview

Package and manifest policies help teams govern dependency usage. They use allow and deny rules scoped to the workspace, organizations, repositories, or applications.

Package policies evaluate package and package version data. Manifest policies evaluate manifest file metadata.

## Package allow and deny policies

Package policies support a default action and optional package rules.

| Setting          | Values                         | Meaning                                              |
| ---------------- | ------------------------------ | ---------------------------------------------------- |
| Default action   | `allow`, `deny`, `review`      | Action used when no package rule or decision applies |
| Dependency scope | `direct`, `transitive`, `both` | Which dependency relationships the policy applies to |
| Rule action      | `allow`, `deny`                | Action for a matching package rule                   |

Package rules can match on:

* Package URL (`purl`)
* Package name
* Namespace
* Package type
* Version range

Rules can also set an enforcement mode for their scope.

## Package decisions

Package decisions are explicit package-level decisions for a policy. Supported decision values are:

| Decision   | Meaning                                          |
| ---------- | ------------------------------------------------ |
| `accepted` | Accept the package for the selected policy scope |
| `rejected` | Reject the package for the selected policy scope |

Package decisions can include a version range and reason.

## Manifest allow and deny policies

Manifest policies support allow and deny rules for dependency files.

| Setting        | Values          | Meaning                                   |
| -------------- | --------------- | ----------------------------------------- |
| Default action | `allow`, `deny` | Action used when no manifest rule applies |
| Rule action    | `allow`, `deny` | Action for a matching manifest rule       |

Manifest rules can match on:

* Manifest type
* Language
* Manifest file path
* Lock file path

Manual review is available for package policies through the `review` default action. Manifest policies support `allow` and `deny`.

## Scopes

Package and manifest rules can be scoped to:

* Workspace
* Organization
* Repository
* Application

More specific policy scopes can override broader policy defaults.

## Related docs

* [Policies](/policies/overview)
* [Policy violations](/policies/violations)
* [Package managers and manifests](/reference/package-managers-manifests)
