Update publishdate rego recipe#438
Open
clairemcdyre wants to merge 7 commits into
Open
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
adding reference to the BUS name
Adding extra detail about cold + warm fetches.
adding co-pilot suggestion to remove redundant sentence.
…ies for npm and python
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Cloudsmith documentation to reflect newer policy capabilities and adjust guidance around minimum-age enforcement, while also removing/refreshing some security-policy related docs.
Changes:
- Adds a note to the “Package Publish Date” Rego recipe recommending Cooldown Policy for npm/Python.
- Removes the “Recurring vulnerability scans” Early Access mention and its associated cross-link.
- Substantially rewrites the “Block Until Scan” page content to describe synchronous vs asynchronous enforcement.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| src/content/supply-chain-security/vulnerability-scanning.mdx | Removes the “Recurring vulnerability scans” Early Access section. |
| src/content/supply-chain-security/epm/rego.mdx | Adds a note recommending Cooldown Policy for npm/Python for publish-date enforcement. |
| src/content/supply-chain-security/epm/index.mdx | Removes the policy-trigger bullet linking to the removed recurring-scan section. |
| src/content/policy-management/block-until-scan.mdx | Reframes/restructures the page around synchronous (“Block Until Scan”) vs default asynchronous behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| **Use case**: Match new packages for a specific period (e.g. two weeks) after release. Enforcing a time lag before consuming a new package or package version is an effective safeguard to protect against zero-day attacks. | ||
|
|
||
| <Note> | ||
| If you are using **npm** or **Python**, Cloudsmith recommends using the dedicated [Cooldown Policy](/supply-chain-security/epm/cooldown-policy) instead of this recipe. The cooldown policy evaluates packages directly at the index level, which is faster and provides a better developer experience than this recipe, which requires a package to be fully cached in Cloudsmith before the publish date can be evaluated. |
Comment on lines
+446
to
+450
| <Note> | ||
| If you are using **npm** or **Python**, Cloudsmith recommends using the dedicated [Cooldown Policy](/supply-chain-security/epm/cooldown-policy) instead of this recipe. The cooldown policy evaluates packages directly at the index level, which is faster and provides a better developer experience than this recipe, which requires a package to be fully cached in Cloudsmith before the publish date can be evaluated. | ||
|
|
||
| For all other supported formats, this recipe remains the recommended approach. | ||
| </Note> |
| import { Note } from '@/components' | ||
|
|
||
| # Block Until Scan | ||
| # Enforce package signing and policy enforcement on all downloads |
Comment on lines
+3
to
11
| # Enforce package signing and policy enforcement on all downloads | ||
|
|
||
| **Block Until Scan** is a security feature designed to enhance the integrity and security of software packages served by Cloudsmith, guaranteeing that all relevant security and compliance policy checks (licenses, vulnerabilities, package deny policies) are fully completed *before* a package is made available for download. | ||
| Cloudsmith can enforce package signing and security policies on **every** download from upstream registries, including the very first request for a new package. | ||
|
|
||
| --- | ||
| By default, Cloudsmith applies full signing and policy enforcement **after** the first download of a package that is proxied from an upstream registry. For stricter environments, you can enable an optional synchronous enforcement mode that blocks initial downloads until scanning and policy checks are complete. | ||
|
|
||
| By enabling Block Until Scan, all package requests originating from upstreams configured in "Cache and Proxy" mode are subjected to a mandatory scanning and policy evaluation process. This ensures that only packages meeting your organization's security policies can be accessed by users. | ||
|
|
||
| Without Block Until Scan, packages could be served to clients *before* all necessary policy checks were completed (unless the package was already synced in the repository, and policy checks had been completed prior to that). This allowed for the initial download of packages that may subsequently fail policy checks. | ||
|
|
||
| ## How to Use It | ||
|
|
||
| <Note variant="important"> | ||
| 📘 The Block Until Scan feature is in **Early Access (EA)**. To enable Block Until Scan for your workspace, please [contact Cloudsmith Support](https://cloudsmith.com/company/contact-us). | ||
|
|
||
| **Workspace-Wide Setting** | ||
|
|
||
| Please note that Block Until Scan is a global setting that affects **all repositories** within a given workspace. Its activation will impact all applicable package flows. | ||
| <Note variant="note"> | ||
| 📘 This feature is in **Early Access (EA)**. To enable it for your workspace, please [contact Cloudsmith](https://cloudsmith.com/company/contact-us). | ||
| </Note> |
| **Use case**: Match new packages for a specific period (e.g. two weeks) after release. Enforcing a time lag before consuming a new package or package version is an effective safeguard to protect against zero-day attacks. | ||
|
|
||
| <Note> | ||
| If you are using **npm** or **Python**, Cloudsmith recommends using the dedicated [Cooldown Policy](/supply-chain-security/epm/cooldown-policy) instead of this recipe. The cooldown policy evaluates packages directly at the index level, which is faster and provides a better developer experience than this recipe, which requires a package to be fully cached in Cloudsmith before the publish date can be evaluated. |
Comment on lines
+446
to
+450
| <Note> | ||
| If you are using **npm** or **Python**, Cloudsmith recommends using the dedicated [Cooldown Policy](/supply-chain-security/epm/cooldown-policy) instead of this recipe. The cooldown policy evaluates packages directly at the index level, which is faster and provides a better developer experience than this recipe, which requires a package to be fully cached in Cloudsmith before the publish date can be evaluated. | ||
|
|
||
| For all other supported formats, this recipe remains the recommended approach. | ||
| </Note> |
| import { Note } from '@/components' | ||
|
|
||
| # Block Until Scan | ||
| # Enforce package signing and policy enforcement on all downloads |
Comment on lines
+3
to
11
| # Enforce package signing and policy enforcement on all downloads | ||
|
|
||
| **Block Until Scan** is a security feature designed to enhance the integrity and security of software packages served by Cloudsmith, guaranteeing that all relevant security and compliance policy checks (licenses, vulnerabilities, package deny policies) are fully completed *before* a package is made available for download. | ||
| Cloudsmith can enforce package signing and security policies on **every** download from upstream registries, including the very first request for a new package. | ||
|
|
||
| --- | ||
| By default, Cloudsmith applies full signing and policy enforcement **after** the first download of a package that is proxied from an upstream registry. For stricter environments, you can enable an optional synchronous enforcement mode that blocks initial downloads until scanning and policy checks are complete. | ||
|
|
||
| By enabling Block Until Scan, all package requests originating from upstreams configured in "Cache and Proxy" mode are subjected to a mandatory scanning and policy evaluation process. This ensures that only packages meeting your organization's security policies can be accessed by users. | ||
|
|
||
| Without Block Until Scan, packages could be served to clients *before* all necessary policy checks were completed (unless the package was already synced in the repository, and policy checks had been completed prior to that). This allowed for the initial download of packages that may subsequently fail policy checks. | ||
|
|
||
| ## How to Use It | ||
|
|
||
| <Note variant="important"> | ||
| 📘 The Block Until Scan feature is in **Early Access (EA)**. To enable Block Until Scan for your workspace, please [contact Cloudsmith Support](https://cloudsmith.com/company/contact-us). | ||
|
|
||
| **Workspace-Wide Setting** | ||
|
|
||
| Please note that Block Until Scan is a global setting that affects **all repositories** within a given workspace. Its activation will impact all applicable package flows. | ||
| <Note variant="note"> | ||
| 📘 This feature is in **Early Access (EA)**. To enable it for your workspace, please [contact Cloudsmith](https://cloudsmith.com/company/contact-us). | ||
| </Note> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With the release of cooldown policies (https://docs.cloudsmith.com/supply-chain-security/epm/cooldown-policy), for npm and Python this recipe is no longer the recommended approach for applying minimum age policies to packages. Since we don't have support for other formats in the index level implementation of cooldown policies, we need to keep this policy around so that it can be used for other formats. It still works but is a slower experience for developers.