EPM Featured

Enterprise Policy Management with Cloudsmith

Ian Taylor

8 min read
Enterprise Policy Management with Cloudsmith

Enterprise Policy Management (EPM) is a programmable policy-as-code layer that controls the security, compliance, and flow of artifacts across the software supply chain. Teams can codify rules once and apply them continuously across repositories. With Cloudsmith’s platform, organizations extend policy enforcement across teams, environments, and geographies without introducing friction, including the open source packages that the chain depends on.

Our EPM solution is powered by data at every stage. The policy engine has access to all available package metadata to inform decisions. Every policy action is recorded with full context, providing detailed logs for customers to support audits and investigations. EPM includes compliance dashboards, that surface insights in security, compliance, and policy activity. This gives you continuous oversight and helps you refine your approach. 

This article provides an overview of EPM and how it strengthens the software supply chain. For a worked example using policy as code, see Enterprise Policy Management Example: Quarantine Packages Using Policy as Code.

We built EPM because governance should not slow you down; it should accelerate trust. Threats to your software supply chain are evolving faster than human oversight can track, and automation is the only viable path to resilience. EPM puts policy enforcement early in the development process. It makes decisions transparent and implements your security and compliance posture into something repeatable, testable, and version-controlled, like the rest of your codebase. Developers get immediate insight to help select packages. They know which meet policy standards for security, licensing, and quality.

What Are Policies? 

Policies are codified rules that automate decisions and enforce rules on which packages are allowed in your software supply chain. They provide guardrails that ensure security, compliance, and operational consistency. Policies can block vulnerable packages, restrict problematic licenses, and control access.

Vulnerability Policy Example

For example, an enterprise may add a policy that stops packages with high-risk vulnerabilities from reaching production environments. The policy would be prescribed by logic as follows:

  1. Define logic that evaluates vulnerability criteria and applies a quarantine action to affected packages.
  2. The criteria specifies that the vulnerability must be listed in the Common Vulnerabilities and Exposures (CVE) database.
  3. The policy then checks if the vulnerability exceeds a defined CVSS and/or EPSS score threshold.
  4. If conditions are met, the package can either be quarantined and blocked from promotion to production or tagged with additional context for further forensics.

Policy Types

This previous example is a vulnerability policy and is one of the types Cloudsmith EPM supports:

  • Vulnerability policies block insecure packages.
  • License policies prevent non-compliant code from being used.
  • Time-based policies to delay promotion until review. 
  • Lifecycle policies automate tagging, quarantining, or deleting based on metadata.

The Cost of Missing Policy Management

Without strong policy management, teams face increased risk and unnecessary effort:

  • Security vulnerabilities go unnoticed - Missing automation allows known CVEs or malicious packages to reach production.
  • Compliance becomes reactive - Teams must scramble for audits instead of demonstrating continuous compliance.
  • Manual processes waste time - Engineers spend hours reviewing dependencies or waiting for late-stage approvals.
  • Governance becomes inconsistent - Without shared policies, standards vary across teams and environments.
  • Automation potential is lost - Without codified policies, organizations cannot fully benefit from the scale and speed of the cloud.
  • Cost of remediation - Catching vulnerabilities early in the software delivery lifecycle reduces both the financial cost of remediation and the risk of reputational damage.

EPM was built to avoid these issues in response to real-world supply chain threats and close collaboration with our customers. Codification and automation provide a unified approach for teams to enforce decisions that were previously enforced manually and inconsistently, proving less robust or scalable.

EPM’s Impact on Key Enterprise Roles

In an automated delivery environment, policies are essential for reducing manual overhead, preventing costly mistakes, and proving compliance, and have particular relevance within the organization:

  • CISOs - For CISOs, policies are the cornerstone of a secure software supply chain. They enable proactive threat mitigation, enforce compliance with frameworks like SLSA and SC2CF, and provide the audit trails required for regulatory confidence. Cloudsmith’s EPM lets CISOs shift from just enforcing checklists to actively collaborating with engineering teams by using the same tools. Implementing automated policies makes it easier for the engineering team to build securely.
  • CTOs - CTOs are focused on enabling product velocity without compromising architectural integrity. Effective policy management acts as a safeguard for CTOs, giving them confidence to move fast with greater safety, supporting both innovation and security goals. With EPM, they can align engineering output with business goals, ensure consistent implementation of best practices, and reduce the operational burden of manual reviews. 
  • Engineering Teams - Teams immediately benefit by switching from public repositories to Cloudsmith as a curated repository for their developers.  Policies then provide clarity, speed, and safety for engineering teams. Instead of guessing what is allowed, developers get immediate feedback when a package or dependency violates a rule. Our EPM integrates policy checks directly into the artifact pipeline, shifting decision-making left and reducing the noise and frustration caused by late-stage security reviews.

EPM: Cloudsmith’s Approach to Policy Management

Maximum Flexibility: Policy-As-Code, Open Policy Agent, and Rego

Cloudsmith builds for developers, and EPM continues that focus by applying code's flexibility and automation to policy management. EPM takes a policy-as-code approach using an engine built on codification to make policies flexible, versioned, testable, and part of the everyday development workflow. It uses repeatable logic and brings security and compliance into the same toolchain engineers already use.

EPM is built to use:

  • Policy-As-Code with Rego -  Teams write policies in Rego to define clear, actionable rules that operate on artifact metadata, repository structure, and scan data. We chose Rego because it is an established, open-source policy language widely used in infrastructure and platform security. Rego allows teams to write expressive, testable rules and reason over structured data, which aligns with how Cloudsmith models package metadata and security inputs.
  • Open Policy Agent (OPA) -  OPA is a general-purpose policy engine that evaluates rules written in Rego. Cloudsmith integrates OPA into its EPM engine to provide a programmable, scalable way to enforce policy across artifacts. Because OPA is already well established in platform tooling like Kubernetes and Terraform, teams can manage policies in a format they know and trust, without switching tools or inventing new processes.
  • User Interface Control - EPM also offers key features through the Cloudsmith UI. This supports essential policy management controls, letting users operate EPM without the need to dive into policy-as-code.

You can see an example of the Rego code used to implement the policy given in Vulnerability Policy Example above.

package cloudsmith
import rego.v1

default match := false
max_epss := 0.2
target_repository := "REPOSITORY-NAME"
ignored_cves := {"CVE-2023-45853"}

match if {
    input.v0["repository"]["name"] == target_repository
    some vulnerability in input.v0["vulnerabilities"]
    vulnerability["patched_versions"]
    vulnerability["severity"] == "HIGH"
    not ignored_cve(vulnerability)
    exceeded_max_epss(vulnerability)
}

exceeded_max_epss(vulnerability) if {
    some _, val in vulnerability
    val["score"] > max_epss
}

ignored_cve(vulnerability) if {
    vulnerability["VulnerabilityID"] in ignored_cves
}

Create Automated Vulnerability Policies

Cloudsmith’s policy engine lets you create and automate vulnerability policies to an exact specification. Policies evaluate packages as they arrive and apply structured logic to make decisions based on severity, exploitability, and metadata. We made package data available so you have the information to tailor and align your policies to the datasets that matter most.

The following capabilities form the foundation of Cloudsmith’s approach to automated vulnerability policies:

  • Vulnerability Management & Dependency Awareness - EPM scans artifacts continuously and examines both the dependencies developers choose directly and the ones that come bundled with them. This helps teams understand the full scope of their exposure, especially when vulnerabilities are introduced through nested packages or upstream registries.
  • CVSS & EPSS Prioritization (+scoring) - CVSS scores represent how severe a vulnerability is, while EPSS scores estimate how likely it is to be exploited in the real world. Cloudsmith supports both scoring systems to help teams write policies that prioritize the vulnerabilities that pose the highest risk.
    See Cloudsmith introduces EPSS Scoring in Enterprise Policy Management.
  • Policy Testing & Decision Logs - Teams can preview how a policy will behave before activating it. This reduces the risk of unintended disruption and helps refine logic before activation. Once a policy is active, EPM logs each decision, making actions traceable and audit-ready.

EPM continues to evolve, and we’re expanding the scope of what policies can evaluate. This includes extending scanning to third-party sources like OpenSSF Scorecards. We’re enriching package metadata with contextual signals, giving policies a broader view to make more accurate decisions.

Enforcing License Compliance at Scale

Legal teams and engineering organizations need to manage license risk at scale. Cloudsmith EPM allows teams to define precise rules about which licenses are permitted, restricted, or prohibited across repositories and environments. Policies can block packages with unknown, copyleft, or non-compliant licenses before they are introduced into critical environments. These rules operate on package metadata and are enforced automatically at sync, ensuring consistent application across teams and projects.

EPM license management includes the following key capabilities:

  • License Enforcement Policies - Packages with prohibited licenses are blocked by codifying license rules into policy logic. These policies evaluate license metadata before packages reach environments where risk cannot be tolerated, such as production environments or regulated systems.
  • Tailored and Standards-Based Policies -Policies can reflect both internal legal requirements and external compliance frameworks. Teams can author policies that support organization-specific license strategies while aligning with broader standards such as SPDX or OpenChain.

Manage Internal Remediation SLAs with Time-Based Policies

Time-based policies help teams manage the lifecycle of packages based on changing risk, review cycles, or policy timing. These policies allow organizations to enforce rules that adapt over time, such as delaying access to a package until it has passed a minimum review period or increasing enforcement if a vulnerability remains unaddressed beyond a defined threshold.

EPM’s time-based policy management includes CVE lifecycle enforcement. A policy can allow packages with a known high severity CVE to remain in a non-production repository for a defined period. If no fix is applied during that window, the policy escalates enforcement by blocking promotion, triggering quarantine, or flagging the package for remediation. This gives teams time to assess and respond while maintaining clear accountability and control.

We’re extending policy capabilities to increase support for time-based controls. This includes defining policies that delay promotion, trigger re-evaluation, or expire package access after a specific time window. This will support workflows like phased rollouts, cooling-off periods, or automatic clean-up of outdated packages.

Practical Examples of EPM Policies

Cloudsmith EPM allows teams to define precise policies in line with their organization’s compliance requirements. These examples reflect common use cases in vulnerability management, license enforcement, and exploitability scoring.

Time and Score Balanced CVE Remediation Policies

Customers can use EPM to build policies that align with their organisation’s internal CVE remediation timelines or industry best practices.  Policies could escalate enforcement based on how long a CVE has gone unpatched.

For example, quarantine any package that has a:

  • CVE with a CVSS score of 9 or more that was reported 7 or more days ago. 
  • CVE with a CVSS score of more than 7 that was reported 30 or more days ago. 
  • CVE with a CVSS score of more than 4 that was reported 60 or more days ago.

License Control Policies

Customers can use EPM to control which software licenses are permitted in their environments. Many organizations prevent the use of copyleft licenses because these licenses can require proprietary source code to be made public. Copyleft licenses, such as the GNU General Public License (GPL), impose obligations that conflict with closed development. Teams often prefer permissive licenses such as MIT, Apache, or BSD to minimize legal risk.

For example:

  • Quarantine any package that carries a GNU General Public License (GPL).
  • Quarantine any GPL-licensed package found in production repositories, with the highest legal exposure.

Exploitability-Driven Policies with EPSS

Customers can strengthen their vulnerability management by using the Exploit Prediction Scoring System (EPSS) as an additional prioritization tool. EPSS provides a daily probability estimate for the likelihood of a CVE being exploited in the wild. This helps teams move beyond severity alone and focus remediation efforts on the vulnerabilities most likely to be targeted.

For example:

  • Quarantine any package containing a CVE with an EPSS score of 0.2 or more. 

EPM: Policy Management for the Vigilant Enterprise

Software governance is an operational necessity. Cloudsmith EPM provides a programmable layer that helps teams codify their organization's vision for secure and compliant software and then enforces those standards automatically. 

By aligning security, legal, and engineering teams around shared, automated rules, EPM removes friction and gives control, making governance part of the pipeline.

To discover how EPM can solve your policy management needs, contact us for a demo.


Liked this article? Don\'t be selfish (:-), share with others:  



The source of truth for software everywhere.

Cloudsmith optimizes your software supply chain from source to delivery — with complete trust, control, and security.

Start Free Trial