Create Curation Policy

JFrog REST APIs
Content Type
REST API
ft:sourceType
Paligo

Description: Create a policy.

Since: 3.116.x

Security: Requires a valid user with the "MANAGE_POLICIES" permission.

Usage: POST /xray/api/v1/curation/policies

Consumes: application/json

Produces: application/json

Path Parameters: None

Query Parameters: None

Request Body

Name

Type

Description

enabled

Boolean

Automatically set to true when the policy is created. Automatically set to false if something makes the policy’s effective scope empty, for example, the only repo the policy can cover is deleted.

Can be set to true when updating the policy if the effective scope is not empty when updating the policy.

name

string

Name of policy

scope

string

One of: all_repos, specific_repos or pkg_types.

  1. all_repos” means the policy will apply to all curated repositories except those listed in repo_exclude

  2. specific_repos” means the policy will apply to the list of repositories listed in repo_include

  3. pkg_types” means policy will apply to all curated repositories of the package types listed in pkg_types_include

repo_exclude

Used with scope: all_repos

repo_include

Used with scope: specific_repos

pkg_types_include

Used with scope: pkg_types

policy_action

string

One of: block or dry_run.

Dry run policies only accumulate audit logs, they don’t block packages from being downloaded.

condition_id

string

The ID of the condition used by the policy.

waivers

Array[PackageWaiver]

List of package waivers

label_waivers

Array[LabelWaiver]

List of label waivers

notify_emails

Array[string]

List of email addresses that receive notifications when the policy causes a package to be blocked

waiver_request_config

string

One of: forbidden, manualor auto_approved.

If forbidden, waiver requests cannot be created for the policy.

If manual, then waiver requests can be created for the policy, and must be approved by users from the JFrog Access groups listed in decision_owners.

If auto_approved, then waiver requests are allowed to be created, and when created, they are immediately automatically approved by the system, recording who, when and why created the waiver request.

decision_owners

Array[string]

List of JFrog Access groups used by waiver_request_config=manual

PackageWaiver

Name

Type

Description

id

string

ID of this package waiver. Needs to be sent in PUT request when modifying the policy to keep the waiver.

pkg_type

string

Package type. One of: "npm", "PyPI", "Maven", "Go", "NuGet", "Conan", "Gems", "Gradle", "HuggingFaceML" or "Docker".

Additional package types will be added.

pkg_name

string

Name of package from Catalog

all_versions

Boolean

Set to true to indicate all versions

pkg_versions

Array[string]

List of specific versions of the package from the Catalog

justification

string

A way to document why the waiver was created

created_by

string

Username of user who created the waiver

created_at

string

Timestamp when waiver was created

LabelWaiver

Name

Type

Description

id

string

Id of this label waiver. Needs to be sent in PUT request when modifying the policy to keep the waiver.

label

string

A label from the custom Catalog.

justification

string

A way to document why the waiver was created

created_by

string

Username of user who created the waiver

created_at

string

Timestamp when waiver was created

Response Body

Name

Type

Description

id

string

ID of the policy, used in path parameters to update or delete the policy.

created_by

string

Username of user who created the policy

updated_by

string

Username of user who updated the policy

created_at

string

Timestamp when policy was created

updated_at

string

Timestamp when policy was updated

enabled

Boolean

Automatically set to true when policy is created. Automatically set to false if something makes the policy’s effective scope empty, for example the only repo the policy can cover is deleted.

Can be set to true when updating the policy if the effective scope is not empty when updating the policy.

name

string

Name of policy

scope

string

One of: all_repos, specific_repos or pkg_types.

  1. all_repos” means policy will apply to all curated repositories except those listed in repo_exclude

  2. specific_repos” means policy will apply to list of repositories listed in repo_include

  3. pkg_types” means policy will apply to all curated repositories of the package types listed in pkg_types_include

repo_exclude

Used with scope=all_repos

repo_include

Used with scope=specific_repos

pkg_types_include

Used with scope=pkg_types

policy_action

string

One of: block or dry_run.

Dry run policies only accumulate audit logs, they don’t block packages from being downloaded.

condition_id

string

The ID of the condition used by the policy.

condition

Condition

The condition used by the policy, selected by condition_id, is inlined for convenience.

waivers

Array[PackageWaiver]

List of package waivers

label_waivers

Array[LabelWaiver]

List of label waivers

notify_emails

Array[string]

List of email addresses that receive notification when the policy causes a package to be blocked

waiver_request_config

string

One of: forbidden, manual or auto_approved.

If forbidden, waiver requests cannot be created for the policy.

If manual, then waiver requests can be created for the policy, and must be approved by users from the Jfrog Access groups listed in decision_owners.

If auto_approved, then waiver requests are allowed to be created and when created they are immediately automatically approved by the system, recording who, when and why created the waiver request.

decision_owners

Array[string]

List of JFrog Access groups used by waiver_request_config=manual

Sample Request

POST /xray/api/v1/curation/policies
Authorization: …
Content-Type: application/json

{
  "name": "critical vulns only",
  "condition_id": "3",
  "scope": "all_repos",
  "policy_action": "block",
  "waiver_request_config": "forbidden"
}

Sample Response

{
  "id": "4",
  "created_by": "admin",
  "updated_by": "admin",
  "created_at": "2025-03-12T16:05:24+02:00",
  "updated_at": "2025-03-12T16:05:24+02:00",
  "enabled": true,
  "name": "critical vulns only",
  "scope": "all_repos",
  "policy_action": "block",
  "condition_id": "3",
  "condition": {
    "id": "3",
    "is_custom": false,
    "created_at": "2023-08-01T03:00:00+03:00",
    "updated_at": "2023-08-01T03:00:00+03:00",
    "risk_type": "security",
    "supported_pkg_types": ["npm", "PyPI", "Maven", "Go", "NuGet", "Conan", "Gems", "Gradle"],
    "condition_template_id": "CVECVSSRange",
    "name": "CVE with CVSS score of 9 or above (with or without a fix version available)",
    "param_values": [
      {
        "param_id": "vulnerability_cvss_score_range",
        "value": [
          9,
          10
        ]
      },
      {
        "param_id": "apply_only_if_fix_is_available",
        "value": false
      }
    ]
  },
  "waiver_request_config": "forbidden"
}

Response Codes

Status

Description

201

Created

400

Bad request