HomeBlogSupport
Guides/Docs
SignupChangelogGo To App

Enterprise Policy Management

An overview of Enterprise Policy Management

Suggest Edits

📘

Early Access Feature

Enterprise Policy Management is in early access; if you would like to try this feature, please Contact Us.

Enterprise Policy Management Overview

Enterprise policy management provides a way for Workspaces (previously known as Organizations) to define policies that can match and act on packages within Cloudsmith. Enterprise policy management is implemented on top of Open Policy Agent (OPA), a general-purpose and widely adopted policy evaluation engine. OPA provides a high-level declarative language called Rego to define policies in code.

OPA and Enterprise Policy Management

Enterprise policy management allows you to create an OPA policy that triggers when certain events occur within Cloudsmith, ensuring your policies are consistently enforced. When a policy is triggered, Cloudsmith provides the policy evaluation engine with package metadata (input data), and through the rego based policies, a set of of actions associated with the policy (called policy actions) act on the package if the policy is matched.

At a high level, the Enterprise policy management policy evaluation workflow is as follows:

  1. An event occurs within Cloudsmith (for example the completion of a package security scan), triggering the policy.
  2. Package metadata and your regobased policy are provided to the policy evaluation engine.
  3. The policy evaluation engine determines if the policy "matches" the package, based on the logic/criteria provided in your policy.
  4. If the policy matches the package, the action(s) associated with the policy are then applied to the package.

An example policy, explained in more detail below, is one that quarantines a package following a security scan if vulnerabilities of a certain severity are found to exist within the package.

Policies Overview

Policy Triggers

Each policy is triggered by an event. Currently, Cloudsmith provides a single trigger point at package syncronization, following a security scan of a package.

Policy Matching

Matching policy is written in Rego. Matching is run against package metadata, which includes package, Workspace, repository and security information.

Policy Actions

Actions can be assigned to policies to act on packages following policy evaluation. If a package has been matched in the matching step above, the policy action(s) associated with the policy will then be applied to the package. Multiple actions can be associated with a given policy, and the following actions are currently supported:

  • set_state. This allows you to control the state of the package. For example, whether to delete or quarantine the package. See the PackageStateEnum for more information.
  • add_package_tags. Add a set of tags to the package.

For more detail on creating Enterprise policy management policies and actions, see the Getting Started with Enterprise Policy Management guide.

Updated 14 days ago

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)