Info
This feature is currently in a gradual rollout. To participate or gain early access, contact JFrog Support.
Curation allows policy creators to block downloads from both external sources and cached packages stored in remote repositories.
This enables organizations to enforce comprehensive download restrictions, ensuring that developers cannot access disallowed packages even if they already exist in the Artifactory remote repository cache.
Organizations that manage want to improve their security standards and need to prevent developers from using packages whose security posture has changed should use a block from cache.
This feature guarantees that:
- Policy-violating packages cannot be downloaded, regardless of whether they are stored in the cache or retrieved from the internet.
- Policy expression is consistent and comprehensive.
Feature Activation
Enforcing policy blocking on cached packages is done in two levels:
Product-Level Enablement
To enable the capability for the environment, navigate to Administration > Settings > Enable Curation for Cached Packages.
- Turning this toggle on only activates the feature visibility.
- Once enabled, policy creators will see additional configuration options within the policy creation flow.
- No enforcement has been applied yet.
Policy-Level Enforcement
After enabling the feature globally, a policy must be explicitly configured to apply blocking to cached packages. In the Policy, under Actions & Notifications, turn on Enforce Policy on Cached Packages.
Only policies where this toggle is enabled will enforce restrictions on cached package downloads.
Audit visibility
A new column was added to the audit: Event origin.
- The package was downloaded from an external source into a remote repository in Artifactory.
- The package was downloaded from the remote repository’s local cache in Artifactory.
- A simulated event generated by the JF CA CLI command.
You can filter this column in the right pane filter, like other parameters.
Scope Enhancement: Apply Policy to a Group of Users
A new Scope option is available when creating a policy:
| Scope Option | Description |
|---|---|
| Group of Users | Allows policy enforcement or exclusions based on Platform Access Groups |
In environments where a single repository is used by multiple user groups, you can apply different policy behaviors per group.
Example
- Group A: Exclude group from policy and allow to download packages meeting maturity criteria
- Group B: Blocked if the package contains a critical CVE
- Group C: Only permitted versions approved through compliance review
Workflow
When a user requests to download a package from a remote repository:
- Curation evaluates the request according to active policies.
- If policy blocking is enforced on cached packages:
- If the package violates the policy:
- The download is blocked, whether the package is fetched from the internet or served from cache.
- If the package is allowed:
- The download proceeds normally.
- If the package violates the policy:
Info
Limitation for NPM Packages When using Compliant Version together with group-based policy enforcement and cached package blocking, cache behavior may cause multiple groups to receive the same compliant version that was retrieved by the first user. Curation will still evaluate the download request and block it if it conflicts with the policies of the requesting group.