Policy management

Policy as Code for Your Entire Software Supply Chain

Cloudsmith Policy Management gives you centralized control over every package, dependency, and container - across every format and team - before software reaches developers, pipelines, or production. Built for the speed and scale of modern and AI-assisted engineering.

Policy Management

Secure your teams, pipelines, and AI workflows. Use policy as code to interpret threat signals and automate enforcement actions.

  • Use industry standard OPA Rego to define software usage policies
  • Apply policies to packages and container flowing through Cloudsmith
  • Perform actions based on your policies
  • Make refinements based on policy logs
How cloudsmith helps

Most organizations depend on open source they don't control. Policy as code ensures the safety, quality, and license compliance of every package at the point of entry - including dependencies demanded by AI agents.

Instead of waiting until late in the SDLC, Cloudsmith policies act immediately on ingestion, blocking or quarantining risky artifacts and preventing non-compliant licenses from slipping through - whether those dependencies were specified by a developer or an AI agent.
    Enterprise-ready Controls
    Policy as Code - Define and manage rules using Open Policy Agent (OPA). Tailor enforcement to enterprise requirements and update policies as new threats or regulations emerge.

    Cooldown policies - Supply chain attacks like Shai-Hulud use malicious, newly-published packages. With cooldown policies you can apply rules governing the use of newly-published packages in your Workspace.

    Data enrichment - Every decision can be based on vulnerabilities, malware intelligence, licenses, EPSS scores, and metadata. Cloudsmith makes all this intelligence available to the policy engine.

    Defined scope - Apply rules globally across your organization, or scope them to specific teams, repositories, or workflows. Detailed logs and reporting support audits and compliance frameworks.
    Continuous enrichment of risk data
    Ingress control - Policies apply at the point of entry. Malicious, vulnerable, or non-compliant packages are blocked, quarantined, or tagged before they reach developers, pipelines, or production.

    Continuous policy evaluation - Packages already in repositories are continuously re-evaluated against up-to-date threat feeds and license intelligence, ensuring your software supply chain remains secure over time.

    Multi-format consistency - Whether npm, PyPI, Docker, NuGet, Maven, or beyond, every artifact traverses the same controlled gateway, subject to the same rules and data sources.
    Considered user experience
    Developer-friendly by design - Policies are enforced automatically, so developers don’t need to stop and check. Real-time enforcement minimizes friction and maintains velocity.

    Comprehensive documentation - Build on our library of OPA policies, written in Rego, tailoring them to your unique needs.

Frequently Asked Questions

  1. The majority of organizations rely on open source that they cannot control. Policy management implements safety, quality, and license compliance at the point of entry before any risky package even reaches the developers, pipelines, or production.

  2. Policy management is built to enforce security without blocking productivity. When risks are detected, flexible actions—such as notifying, tagging, or quarantining—apply the right level of control for the environment. Because policy management makes deep artifact data available to policies, much of this can be automated, giving developers clear, immediate feedback. Applying policies does take a small amount of additional time, but the result is less time spent on security fire drills later, and faster access to high-quality, compliant software from the start.

  3. Yes. Policy management uses policy-as-code (via OPA) to tailor enforcement to enterprise requirements. Because all artifact intelligence is available to policies, rules can be updated quickly as threats, regulations, or internal standards evolve.

  4. Every action is logged and exportable, giving security teams full visibility into what was allowed, blocked, or quarantined. These records provide clear insights for governance and make it easy to demonstrate that controls are in place during audits or internal reviews.

  5. No. Although open source risk is a large contributor, the elastic framework of policy management allows you to impose rules on any artifacts across formats (from containers to language packages). Policies can be used to manage licenses, vulnerabilities, or even custom metadata, and they can be applied across the entire software supply chain.

  6. Cloudsmith constantly infuses artifacts with new intelligence - such as vulnerabilities and EPSS scores, malware signals, and license updates. Since policies always consider the most recent data, packages in your repositories are re-checked automatically, keeping your protections updated as threats change.

  7. Both. DevOps leaders receive low-friction automated enforcement that continues to keep developers working at high velocity, and AppSec and security teams achieve the governance and visibility that they require throughout the supply chain. Policy management fills the gap by connecting speed and security at enterprise scale.

  8. You control the scope. Policy management allows you to implement policies at the org level, team level, repository level, or even workflow level. That flexibility makes it easy to impose global rules without compromising on team-specific requirements or experimental environments.

  9. Cooldown policies let you restrict the use of newly-published packages for a defined period after they appear in an upstream registry. Many supply chain attacks rely on injecting malicious packages that get pulled in immediately after publication - before the community or threat intelligence feeds have had time to flag them. By applying a cooldown window, you ensure that only packages with an established publication history can enter your supply chain, reducing your exposure to zero-day package attacks.

  10. Yes. Cooldown policies are configurable by scope, so you can apply stricter windows to high-risk ecosystems or repositories while leaving others unaffected.

Additional Resources

Curious about how policy management was built? Wondering what great policy enforcement looks like? Take a look at the resources below to learn more.
Rego Policy Cookbook

Rego Policy Cookbook

Most teams struggle with where to start when it comes to policy as code. This Cookbook gives teams working examples for common scenarios, blocking risky dependencies, enforcing signature verification, validating metadata, and more. Each recipe includes the full code, context for why it matters, and a link to GitHub.
Unlocking policy-as-code automation with policy management

Unlocking policy-as-code automation with policy management

With Cloudsmith, developers and platform engineers can treat security and compliance as first-class, automated citizens in their CI/CD systems. Whether you’re integrating with Terraform, GitHub Actions, or your own orchestration tooling, Cloudsmith EPM gives you the control you need to secure your software supply chain your way.
Pull back the hood on the data and tech that informs policy management

Pull back the hood on the data and tech that informs policy management

This post lifts the curtain on the input data, technology stack, and policy lifecycle that drive Cloudsmith’s real-time, zero-trust decision engine - now extended to delay and block even the first download of non-compliant packages from upstream sources.
Ready to get started?
Speak to a Cloudsmith expert about protecting your organization from threats using policy management.