Enterprise policy manager

Automate Compliance and Security with Enterprise-Wide Policy Enforcement

Enterprise Policy Manager gives you centralized control over your entire software supply chain - every package, dependency, format, and team - before software reaches developers, pipelines, or production.

Enterprise Policy Manager

Secure your teams and pipelines. Use our Enterprise Policy Manager to interpret threat signals and automate actions.

  • Use industry standard OPA Rego to define software usage policies
  • Apply policies to packages and container flowing through Cloudsmith
  • Perform actions based on your policies
  • Make refinements based on policy logs
CVSS ScoreCVE SeverityTypeAPI keyQuality scorePackage agePackage contributionsQuarantineDeleteLast contributed toCritical Risk PolicyPublishTest policyVulnerabitiy CVE Severity - CriticalConditionsActionsVulnerabitiy CVSS Score > 6ANDORPackagesQuarantine1234567891011121314151617181920212223242526 policy
 rego.v1
max_cvss := cve_allowlist := match := match target input.v0.security_scan
 vulnerability target.Vulnerabilities
 vulnerability.VulnerabilityID cve_allowlist
 cvss vulnerability.CVSS
 cvss.V3Score > max_cvss
packageimportdefaultfalseifsomesomeininnotinsomein# check if this CVSS score is higher than the maximum allowed value# check if this CVE has been explicitly allowed# maximum allowed CVSS score# array containing IDs of CVEs that have been explicitly allowed6}{[]"CVE-2023-32681"20+ conditions & actionsCustom policy builderBuild in code

How cloudsmith helps

Most organizations depend on open source they don’t control. EPM ensures the safety, quality, and license compliance of those packages at the point of entry.

Instead of waiting until late in the SDLC, Cloudsmith's policies act immediately on ingestion, blocking or quarantining risky artifacts and preventing non-compliant licenses from slipping through.
    Enterprise-ready Controls
    Policy as Code - Define and manage rules using Open Policy Agent (OPA). Tailor enforcement to enterprise requirements and update policies as new threats or regulations emerge.

    Data enrichment - Every decision can be based on vulnerabilities, malware intelligence, licenses, EPSS scores, and metadata. Cloudsmith makes all this intelligence available to the policy engine.

    Defined scope - Apply rules globally across your organization, or scope them to specific teams, repositories, or workflows. Detailed logs and reporting support audits and compliance frameworks.
    Continuous Protection
    Ingress control - Policies apply at the point of entry. Malicious, vulnerable, or non-compliant packages are blocked, quarantined, or tagged before they reach developers, pipelines, or production.

    Continuous policy evaluation - Packages already in repositories are continuously re-evaluated against up-to-date threat feeds and license intelligence, ensuring your software supply chain remains secure over time.

    Multi-format consistency - Whether npm, PyPI, Docker, NuGet, Maven, or beyond, every artifact traverses the same controlled gateway, subject to the same rules and data sources.
    Considered user experience
    Developer-friendly by design - Policies are enforced automatically, so developers don’t need to stop and check. Real-time enforcement minimizes friction and maintains velocity.

    No-code policy builder - Create policies from scratch without writing a line of Rego code using our drag and drop policy builder.

    Comprehensive documentation - Build on our library of OPA policies, written in Rego, tailoring them to your unique needs.

Frequently Asked Questions

  1. The majority of organizations rely on open source that they cannot control. EPM implements safety, quality, and license compliance at the point of entry before any risky package even reaches the developers, pipelines, or production.

  2. EPM is built to enforce security without blocking productivity. When risks are detected, flexible actions—such as notifying, tagging, or quarantining—apply the right level of control for the environment. Because EPM makes deep artifact data available to policies, much of this can be automated, giving developers clear, immediate feedback. Applying policies does take a small amount of additional time, but the result is less time spent on security fire drills later, and faster access to high-quality, compliant software from the start.

  3. Yes. EPM uses policy-as-code (via OPA) to tailor enforcement to enterprise requirements. Because all artifact intelligence is available to policies, rules can be updated quickly as threats, regulations, or internal standards evolve.

  4. Every action is logged and exportable, giving security teams full visibility into what was allowed, blocked, or quarantined. These records provide clear insights for governance and make it easy to demonstrate that controls are in place during audits or internal reviews.

  5. No. Although open source risk is a large contributor, the elastic framework of EPM allows you to impose rules on any artifacts across formats (from containers to language packages). Policies can be used to manage licenses, vulnerabilities, or even custom metadata, and they can be applied across the entire software supply chain.

  6. Cloudsmith constantly infuses artifacts with new intelligence - such as vulnerabilities and EPSS scores, malware signals, and license updates. Since policies always consider the most recent data, packages in your repositories are re-checked automatically, keeping your protections updated as threats change.

  7. Both. DevOps leaders receive low-friction automated enforcement that continues to keep developers working at high velocity, and AppSec and security teams achieve the governance and visibility that they require throughout the supply chain. EPM fills the gap by connecting speed and security at enterprise scale.

  8. You control the scope. EPM allows you to implement policies at the org level, team level, repository level, or even workflow level. That flexibility makes it easy to impose global rules without compromising on team-specific requirements or experimental environments.

Additional Resources

Curious about how EPM was built? Wondering what great policy management looks like? Take a look at the resources below to learn more.
Rego Policy Cookbook

Rego Policy Cookbook

Most teams struggle with where to start when it comes to policy as code. This Cookbook gives teams working examples for common scenarios, blocking risky dependencies, enforcing signature verification, validating metadata, and more. Each recipe includes the full code, context for why it matters, and a link to GitHub.
Unlocking policy-as-code automation with Cloudsmith EPM

Unlocking policy-as-code automation with Cloudsmith EPM

With Cloudsmith, developers and platform engineers can treat security and compliance as first-class, automated citizens in their CI/CD systems. Whether you’re integrating with Terraform, GitHub Actions, or your own orchestration tooling, Cloudsmith EPM gives you the control you need to secure your software supply chain your way.
Pull back the hood on the data and tech that informs EPM

Pull back the hood on the data and tech that informs EPM

This post lifts the curtain on the input data, technology stack, and policy lifecycle that drive Cloudsmith’s real-time, zero-trust decision engine - now extended to delay and block even the first download of non-compliant packages from upstream sources.
Ready to get started?
Speak to a Cloudsmith expert about protecting your organization from threats using EPM.