Stop Policies From Breaking Your Builds

Security policies exist to protect your software supply chain. So why do they keep breaking your builds?

This is the unspoken frustration inside most DevOps and security teams today. Supply chain attacks drove 30% of external breaches in 2025 . So your security team did the right thing. They added policies to flag packages that are too new, unproven, or missing from the organization’s approved package list. But the moment a build fails due to a hidden dependency buried deep in an open source package, the pipeline fails, a ticket gets filed, and a developer loses two days of valuable time fixing something they didn’t choose and didn’t know existed.

The policy didn’t fail. The tooling did.The fix isn’t to ease policies but to provide more intelligent tooling. That’s exactly what JFrog Curation does using Compliant Version Selection (CVS). .

What Is Compliant Version Selection?

Compliant Version Selection  is a JFrog Curation capability that automatically finds and serves the highest policy-compliant version of a package. When  a requested version is blocked due to a policy violation CVS keeps the build moving – transforming Curation from a gatekeeper to an enabler.

Here’s what the process  looks like in practice:

Why Do Security Policies Break Builds Instead of Fixing Them?

Most supply chain security tools take a binary approach: If a package violates policy, the request is blocked and the build fails. That was acceptable when builds were slower, dependency trees were shallower, and developer time was more cost effective.

None of these conditions are true anymore.

Version sprawl and patch delays are now among the top operational risks in enterprise environments. The risk doesn’t sit where most teams are looking. 98% of vulnerabilities accumulate in the less-visible part of the stack, where patching is hardest to operationalize. Blocking builds without offering a safe alternative pushes that burden directly onto developers who had no visibility into the problem in the first place.

JFrog Curation flips the model by introducing block-and-serve  instead of yesterday’s block-and-fail, it’s.The right version is found, served silently, and the pipeline keeps  moving.

Security Without the Security Tax

The security tax is the hidden cost developers pay every time a policy breaks their build. It shows up as lost sprint time, manual waiver requests, pinned versions, and quiet workarounds that let risk accumulate while enforcement deteriorates. The deeper cost isn’t operational. It’s trust.

When developers associate security policies with broken pipelines, they stop respecting them.

No blocked builds means no reason to work around the policy. JFrog internal data shows organizations reclaim up to 319,788 developer hours annually when governance becomes automatic.

How Would Compliant Version Selection Work In Your Development Environment?

CVS is available as a simple toggle within JFrog Curation, applying instantly across all supported ecosystems with no new agents, no workflow changes, and nothing for developers to install or configure. It works at the repository layer, where developers already pull their code, making security invisible by design.

And the same gatekeeper logic extends beyond packages. JFrog Curation also governs AI/ML models from Hugging Face, blocking unvetted models before they enter your environment with the same policy-driven discipline.

The Bottom Line

Without compromising your security standards, Compliant Version Selection finds the safe version, serves it silently, and keeps your pipelines green.

Your security policies shouldn’t be the reason your build breaks. With CVS, they won’t be.

Ready to see Compliant Version Selection in action? Request a personalized demo today!