{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://jfrog.com/schemas/curation-policy", "title": "JFrog Curation Policy", "description": "Represents a curation policy in JFrog Curation that automatically vets and blocks malicious, vulnerable, or risky open-source packages before they enter the development environment. Curation acts as a gateway between public package registries and internal repositories.", "type": "object", "properties": { "policy_name": { "type": "string", "description": "Unique name identifying the curation policy", "examples": [ "block-critical-vulnerabilities", "require-license-approval" ] }, "description": { "type": "string", "description": "Human-readable description of the policy purpose" }, "enabled": { "type": "boolean", "description": "Whether the policy is actively enforced", "default": true }, "policy_type": { "type": "string", "description": "Type of curation policy defining its behavior", "enum": [ "block_malicious_packages", "block_packages_with_vulnerabilities", "block_packages_without_license", "block_packages_by_name", "block_packages_by_age", "allow_only_approved_packages", "custom" ] }, "repositories": { "type": "array", "description": "Remote repository keys this policy applies to", "items": { "type": "string" } }, "package_types": { "type": "array", "description": "Package ecosystem types this policy applies to", "items": { "type": "string", "enum": [ "npm", "maven", "pypi", "docker", "go", "nuget", "gems", "cargo", "conda", "composer", "helm" ] } }, "conditions": { "type": "object", "description": "Conditions that trigger the policy action", "properties": { "min_severity": { "type": "string", "description": "Minimum vulnerability severity to trigger blocking", "enum": [ "Low", "Medium", "High", "Critical" ] }, "max_age_days": { "type": "integer", "description": "Maximum package age in days (for age-based blocking)", "minimum": 1 }, "banned_package_names": { "type": "array", "description": "Specific package names to block", "items": { "type": "string" } }, "banned_licenses": { "type": "array", "description": "License types to block", "items": { "type": "string" } }, "approved_packages": { "type": "array", "description": "Explicitly approved packages (for allow-list policies)", "items": { "type": "object", "properties": { "name": { "type": "string" }, "version": { "type": "string" } }, "required": [ "name" ] } } } }, "actions": { "type": "object", "description": "Actions taken when policy conditions are met", "properties": { "block": { "type": "boolean", "description": "Whether to block the package download" }, "notify": { "type": "boolean", "description": "Whether to send notifications" }, "notify_emails": { "type": "array", "description": "Email addresses to notify", "items": { "type": "string", "format": "email" } }, "custom_message": { "type": "string", "description": "Custom message returned to the user when a package is blocked" } } }, "created": { "type": "string", "format": "date-time", "description": "Policy creation timestamp" }, "modified": { "type": "string", "format": "date-time", "description": "Last modification timestamp" } }, "required": [ "policy_name", "policy_type" ] }