Skip to main content
A policy turns your supply-chain rules into configuration that Vet evaluates automatically. Instead of reviewing dependencies by hand, you write the rules once and Vet applies them to every package, including transitive ones.

Why it matters

Manual vetting does not scale and misses transitive dependencies. A policy makes a rule like “block known malware”, “no GPL licenses”, or “no unmaintained packages” an automated, repeatable check that runs the same way locally and in CI/CD.

How it works

A policy is a set of CEL rules, written as a filter suite in a YAML file. Vet evaluates each package against the rules, and you decide what a match does:
  • During a local scan, Vet can exit non-zero when a package matches a blocking rule.
  • In CI/CD with vet-action, the policy file is passed via the policy input (conventionally .github/vet/policy.yml), and paranoid: true fails the build on a violation.
See Policy as Code for the full syntax and examples.

Policy as Code

Write and structure policy files.

CEL

The expression syntax policies are built from.

Malicious Package

The intelligence policies act on.

JFrog Xray Blocking

Enforce package blocking in JFrog Xray.