Description: Update an existing policy
Notes:
Note about only sending editable properties:
Don’t send the entire object you get back from loading or listing the policy to edit the policy.
Properties like id, created_by, updated_by, created_at, updated_at, enabled cannot be set via the API and sending them to create policy or update policy endpoint will cause an error.
Note about editing waivers and label waiver:
Waivers and Label waivers cannot be edited in place. They can be added (by sending an object without an id property but with the properties pkg_type, pkg_name, all_versions, pkg_versions and justification, they can be retained (by sending an object with the ID of an existing waiver of the policy), and they can be removed (by not sending an object with the ID of an existing waiver of the policy). To edit a waiver, remove it and add a new waiver with the values you need.
Since: 3.116.x
Security: Requires a valid user with the "MANAGE_POLICIES" permission.
Usage: PUT /xray/api/v1/curation/policies/{policy_id}
Consumes: application/json
Produces: application/json
Path Parameters: policy_id
Query Parameters: None
Request Body
Name | Type | Description |
|---|---|---|
| Boolean | Automatically set to true when policy is created. Automatically set to false if something makes the policy’s effective scope empty, for example the only repo the policy can cover is deleted. Can be set to true when updating the policy if the effective scope is not empty when updating the policy. |
| string | Name of policy |
| string | One of:
|
| Used with scope= | |
| Used with scope= | |
| Used with scope= | |
| string | One of: Dry run policies only accumulate audit logs, they don’t block packages from being downloaded. |
| string | The ID of the condition used by the policy. |
| Array[PackageWaiver] | List of package waivers |
| Array[LabelWaiver] | List of label waivers |
| Array[string] | List of email addresses that receive notification when the policy causes a package to be blocked |
| string | One of: If forbidden, waiver requests cannot be created for the policy. If manual, then waiver requests can be created for the policy, and must be approved by users from the Jfrog Access groups listed in decision_owners. If auto_approved, then waiver requests are allowed to be created and when created they are immediately automatically approved by the system, recording who, when and why created the waiver request. |
| Array[string] | List of JFrog Access groups used by |
Response Body
Name | Type | Description |
|---|---|---|
| string | ID of the policy, used in path parameters to update or delete the policy. |
| string | Username of the user who created the policy |
| string | Username of the user who updated the policy |
| string | Timestamp when the policy was created |
| string | Timestamp when the policy was updated |
| Boolean | Automatically set to true when the policy is created. Automatically set to false if something makes the policy’s effective scope empty, for example, the only repo the policy can cover is deleted. Can be set to true when updating the policy if the effective scope is not empty when updating the policy. |
| string | Name of policy |
| string | One of:
|
| Used with scope= | |
| Used with scope= | |
| Used with scope= | |
| string | One of: Dry run policies only accumulate audit logs, they don’t block packages from being downloaded. |
| string | The ID of the condition used by the policy. |
| Condition | The condition used by the policy, selected by |
| Array[PackageWaiver] | List of package waivers |
| Array[LabelWaiver] | List of label waivers |
| Array[string] | List of email addresses that receive notifications when the policy causes a package to be blocked |
| string | One of: If forbidden, waiver requests cannot be created for the policy. If manual, then waiver requests can be created for the policy, and must be approved by users from the Jfrog Access groups listed in decision_owners. If auto_approved, then waiver requests are allowed to be created and when created they are immediately automatically approved by the system, recording who, when and why created the waiver request. |
| Array[string] | List of JFrog Access groups used by |
Sample Request
PUT /xray/api/v1/curation/policies/4/
Authorization: …
Content-Type: application/json
{
"name": "no malicious",
"condition_id": "1",
"scope": "all_repos",
"policy_action": "block",
"waiver_request_config": "forbidden"
}
Sample Response
{
"id": "4",
"created_by": "admin",
"updated_by": "admin",
"created_at": "2025-03-12T16:05:24+02:00",
"updated_at": "2025-03-12T16:23:38+02:00",
"enabled": true,
"name": "no malicious",
"scope": "all_repos",
"policy_action": "block",
"condition_id": "1",
"condition": {
"id": "1",
"is_custom": false,
"created_at": "2023-08-01T03:00:00+03:00",
"updated_at": "2023-08-01T03:00:00+03:00",
"risk_type": "security",
"supported_pkg_types": ["npm", "PyPI", "Maven", "Go", "NuGet", "Conan", "Gems", "Gradle", "HuggingFaceML", "Docker"],
"name": "Malicious package"
},
"waiver_request_config": "forbidden"
}
Response Codes:
Status | Description |
|---|---|
200 | OK |
400 | Bad request |
404 | Not found |