NVIDIA 
Cursor 
GitHub 
Docker 
Maven 
Financial Services 
Public Sector 
Technology 
Healthcare 
Gaming 
Automotive 
Enterprise 
Eliminate Shadow Package Downloads
Keep Developer Flow
Give developers and AI agents the freedom to build quickly while ensuring every dependency, package, and model entering your software supply chain is trusted, governed, and continuously monitored.
What is JFrog Package Traffic Controller?
Package Traffic Controller is a network-level solution that integrates with enterprise SASE infrastructure. It automatically intercepts and transparently reroutes all developer and agent package requests through JFrog – where security and compliance policies can be applied and compliant versions can be served automatically.
Bad Actors are Targeting you Through Open Source Software
Allowing developers, agents, and other employees direct access to public package registries increases risk.
172
K
Unique malicious
NPM packages in 20251
500-
3500
New libraries downloaded per year
for a mid sized organization1
50
%
of organizations' developers wait
a week+ for new packages1
Total Visibility. Total Control.
Supply chain protection at the network edge
JFrog’s Package Traffic Controller routes every package request through JFrog automatically, via network-level enforcement. Whether the request comes from an AI agent autonomously pulling dependencies or a dev running pip install or, every package is inspected by JFrog Curation against your security, license, and operational policies. Zero client configuration required.
Every artifact, logged and audit ready without exception
Eliminate unmanaged software entering your organization by ensuring every package, dependency, and artifact flows through a governed, traceable control point. JFrog’s Package Traffic Controller capability automatically intercepts direct requests to ensure they go through JFrog Artifactory giving you control and speed.
Reroute, don't block – Zero workflow interruption
Unlike security tools that return an error when a package violates policy, Package Traffic Controller transparently redirects requests to JFrog Artifactory, where JFrog Curation serves the latest compliant version available. No failed builds. No .npmrc changes. No failed agent and no developer behavior change required.
How it works: Governance of open source package consumption
JFrog’s Package Traffic Controller works with your SASE solution to detect direct requests to public registries and route them through JFrog automatically – no exceptions, no per-dev configuration.
-
What SASE Solutions are supported today?
JFrog’s Package Traffic Controller is available today for customers of Zscaler ZIA with support for additional SASE solutions coming in the very near future.
-
What public package registries are supported today?
Package Traffic Controller supports requests for:
- npm – npm, yarn, pnpm,
- PyPI – pip, uv, poetry, pipenv
- Hugging Face
- Docker / OCI
Additional package registries coming soon.
-
Will the Package Traffic Controller route all user traffic through JFrog, including non-developers?
The Package Traffic Controller can be used to ensure all package requests to public registries, whether from agents, developers, AI users, and other AI users (Marketing, Finance, Legal etc.) go through JFrog. This approach is desired by many orgs looking to block any malicious packages from inadvertently being brought in and installed on employee machines. However, customers can configure which employee machines are subject to the traffic enforcement – excluding non development related employees if desired.
-
How is Package Traffic Controller purchased?
The Package Traffic Controller is available with JFrog Curation and requires that the customer use one of the supported SASE providers.
-
How does JFrog differ from other security tools?
Neither agents nor developers should have to choose between speed and compliance, and no one wants a checkpoint that only blocks. JFrog Package Traffic Controller operates differently, it routes all traffic into JFrog Artifactory to serve as your complete system of record. Instead of blocking requests, generating support tickets, and incentivizing developers to find workarounds or simply blocking the agent’s progress, JFrog reroutes traffic to serve a policy-compliant package transparently. Because it operates at the network layer, it captures AI agent traffic exactly like human traffic without requiring any agent-side configuration.
-
Why does JFrog use SASE for package security?
JFrog integrates with SASE infrastructure to enforce package governance at the network layer. This ensures every request – from developers, AI users and AI agents – passes through Artifactory regardless of client-side configuration, which can be bypassed or overridden.
-
Can AI coding agents introduce supply chain vulnerabilities?
Yes coding agents can introduce supply chain vulnerabilities just as a developer can. This can happen by referencing malicious packages or pulling in packages with known CVEs. Without proper security context and policies governing agent behavior this will be a continual problem.
-
How do you prevent malicious open source packages from entering your org?
The best way to prevent malicious open source packages from entering your org is to block them from being downloaded by your developers, agents, and AI users. JFrog Curation enables organizations to proactively vet requested packages and libraries to ensure that no malicious packages are being downloaded. If a malicious package is requested it is blocked before the item is downloaded. Package Traffic Controller ensures that all package requests are routed through JFrog for compliance enforcement and not pulled directly from public registries.
