HomeBlogSupport
SignupChangelogGo To App

Deny Policy

Package deny policy rules empower organizations to control which packages can be downloaded within their repositories.

Suggest Edits

Package deny policies are a feature within Cloudsmith's policy management system to control which packages can be downloaded within their repositories.

Package deny rules are configuration settings applied at the organization level within Cloudsmith. These rules allow users to specify criteria, known as a 'package_query_string,' to identify packages that should be blocked from download. By defining these rules, organizations can enforce stricter security measures and maintain tighter control over their software artifacts.

Supported Package Formats

This feature applies to all formats.

View Deny Policies

To view the license policies in your organisation, go to your organization's “Settings” page and select "Package Deny Policies" from the left-hand menu.

Create Deny Policies

To create a new deny policy, go to your organization's "Settings" page and select "Package Deny Policies" from the left-hand menu. Then click the "Create" button on the right hand side.

You are then presented with the “Create Package Deny Policy” form:

Create Vulnerability Policy Form

Here you can define the following:

Policy NameA display name for the Deny Policy.
DescriptionA description of the Deny Policy.
Package QueryA search query that you can use to target this policy at a specific repository, package format or package name. See Searching / Filtering for more details on the available fields you can filter on.

The query string box (limited to 256 chars in length) to specify a search-query string to match packages against. Matched packages will then be blocked across the org.
EnabledThere is a toggle to enable/disable the rule.

Once saved, the policy is enabled across your organization, and the matched packages will then be blocked across the org.

Once saved, the policy is enabled across your organization, and the deny rules will block any download requests for packages coming into Cloudsmith.

Download requests are blocked for a specific package or version of a package, including the first download of the package even if the package is proxied through from an upstream.

Policy Violation Identifiers

When local packages are blocked by a deny rule, it’s available in the application as a red-flag, and the download link on the right-hand-side is faded-out and will not click.

When you click into the package itself, it’ll show a red-box noting which deny rule is blocking the package.

There’s also a search facet that will let you see all the packages that have been denied by your rules. It’s deny_policy_violated:true

Audit Logs

There are also audit logs for whenever users configure (create, update or delete) deny rules:

Unblock a package that violates a policy

To remove a policy violation, you have three options:

  • Delete the deny policy, if you are authorized.
  • Upgrade the package to a version outside of the deny policy.
  • Edit the deny policy, if you are authorized, to allow this package using the query string language syntax.

Updated about 2 months ago

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)