Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. Products/Concepts
  3. Curation

Features and Capabilities

JFrog Curation includes several core features to enforce security, compliance, and operational control:

Policy-Driven Package Governance

Define curation policies to enforce security, licensing, and operational rules on package downloads. Policies are evaluated at the repository level to ensure compliance.
Policies are based on different "Conditions", custom and predefined.

Policy actions: A policy can be blocking, blocking the developer from using the violation package, or dry-run policies. Dry-run policies are used to assess the policy impact on the organization before becoming blocking policies.

Conditions, Custom Conditions, and Condition Templates

  • Predefined Conditions: Out-of-the-box rules provided by JFrog to address common security, operational, and legal risks (e.g., block malicious packages, outdated versions, or licenses).
  • Custom Conditions: Templates allow admins to create tailored conditions. These allow organizations to address specific needs, such as blocking packages vulnerable to a specific CVE or requiring certain operational thresholds.
  • Advanced Condition settings: Some templates support more advanced configurations that create a relaxed condition. Relaxed conditions can decrease the False positive impact of the broad policies and block only packages that answer multiple parameters.
  • Usage of conditions in Policies:
    • Each policy contains a single condition that defines its enforcement criteria.
    • Custom conditions provide granularity and adaptability for unique organizational requirements.
    • Conditions are pivotal to determining which packages are approved or blocked during evaluations.

Waivers

Exclude specific packages or versions from policy restrictions using waivers applied via catalog labels or manual configuration.

Waivers can be applied in 2 manners:

  1. Package version directly applied to the policy
    2. Catalog labels are used to mark the desired package versions, and then the label is attached to one or more policies. In case you intend to use waivers on a broader spectrum, this approach is your favorite, as it supports bulk actions and the re-usage of labels on other policies.

Compliant Version Selection

When a requested package version is blocked by a curation policy, Compliant Version Selection (CVS) automatically returns the highest version that passes all policies instead of failing the request. This ensures developers can continue working without disruption, while still enforcing security and compliance rules.

  • Automatic Fallback: When a blocked version is detected, Curation evaluates all available versions within the dependency range and returns the highest compliant one — covering both direct and transitive dependencies.
  • Seamless Developer Experience: Developers are not notified when a different version is delivered. Builds succeed transparently with a compliant version.
  • Supported Package Types:
    • Full Support: npm, PyPI, Maven, Go

Learn more about configuring Compliant Version Selection here.

Curation Federation

Organizations operating multiple Instances can use Curation Federation to synchronize curation rules across all sites from a single central location.

  • Controller and Followers: One Instance is designated as the controller (source of truth). All connected Instances act as followers and automatically receive policy, condition, and Lables.
  • Policy-Level Sharing: Not all policies are federated by default. Administrators opt in to individual policies by enabling Share with Federation in the policy settings. Only policies with scope All Curated or Package Types can be shared.
  • Federated Entities: Four types of entities are synchronized — package-type connection settings, custom conditions, Catalog labels, and shared policies.
  • Local Flexibility on Followers: Follower sites can customize federated policies for local needs — adjusting excluded repositories, notification emails, decision owners, and waivers — without changing the centrally managed rule.
  • Automatic Sync: Changes are propagated in real time. If a follower is temporarily disconnected, a full sync can be triggered to reconcile missed updates.

Learn more about configuring Curation Federation.

Audit and Reporting

Audit is a crucial function of Curation. Every package inspected in Curation has an audit event log. If the package is blocked or bypassed due to a policy relaxation condition, it is mentioned in the event log.

  • View blocked/approved package events.
  • Run dry-run evaluations to simulate policy enforcement without blocking downloads.
  • Access detailed audit logs for compliance and troubleshooting.

Curation User Audit: Any user action in Curation is lagged for regulations and documentation.

Integration with JFrog CLI

Developers can use the CLI to

  • Check curation violations for a project.
  • View detailed policy decisions for specific packages.

Curation-Catalog Integration

  • The Global Catalog serves as a metadata repository for package evaluation, enabling the Curation service to assess and block/approve packages in real-time.
  • Dynamic metadata updates ensure packages are evaluated against the latest security and licensing data.
  • Organizations can manage both public and private metadata through the catalog for tailored curation capabilities.
  • Use labels in the JFrog Catalog to group and manage packages based on organizational requirements. These labels can be applied to:
    • Allowlists: Accept only pre-verified packages for use.
    • Blocklists: Block specific packages or versions at scale.
    • Waivers: Exclude labeled packages from curation restrictions.

Operational stats

Minimal performance impact, with average evaluation times of ~100ms per package request

Updated 18 days ago