Skip to main content
Anaconda Platform 7.0.0 is available through a limited early access program. Contact your Anaconda Technical Account Manager (TAM) if you’re interested in adopting the latest version.
A policy is a security control you can apply to a channel to configure which packages are mirrored from the channel’s source. Enforcing policies ensures that only approved software is available, helping maintain consistency across team and reducing security risks. Policies allow you to filter packages based on criteria such as package name, platform architecture, license, and Common Vulnerabilities and Exposures score and status to meet your organization’s compliance and security requirements.
Visibility and management of policy features depend on your assigned role. Only users with Write or Manage permissions for the Policy Engine can create and manage policies.

Creating a policy

Policy filters only work for conda repositories. Standard Python and R repositories must use mirror filters to restrict packages. For more information, see Creating a mirror.
Policies only filter from a when the channel’s runs. If you update a policy, packages in affected channels aren’t updated until the channel’s mirror next runs per its scheduled frequency configuration.
  1. Select Policies from the left-hand navigation.
  2. Click Create Policy.
  3. Complete the Create Policy form.
    The Create Policy form provides a step-by-step approach to building policies for your channels.
    • Each field provides an info tip to help you understand and complete the form. Hover over the icon to view tips.
    • As you build the policy, a real-time summary appears on the right, explaining in plain language what the policy enforces.
    • Select < Previous or Next > to navigate the different sections of the Create Policy form.
    1

    Set Details

    Set details step
    1. Policy Name Provide a unique name for your policy.
      Use a descriptive name that helps users understand its purpose.
    2. Description Enter a brief description of what effect the policy will have on a channel or mirror.
    2

    Set Package Rules

    Set packages step
    1. Platform Restrict packages based on their platform architecture.
      • The in operator only mirrors packages that match the specified platform architectures. In other words, using the in operator means “I want to mirror packages for the following platform architectures”.
      • The not in operator excludes packages that match the specified platform architectures. In other words, using the not in operator means “I want to mirror packages for all platform architectures except the following”.
      Anaconda Platform automatically includes any package dependencies in your channel when you apply a policy that restricts packages by platform architecture.
    2. License Restrict packages based on their license type. Multiple license types can be specified for the policy.
      • The in operator only mirrors packages that match the specified license. In other words, using the in operator means “I want to mirror packages for the following license types”.
      • The not in operator excludes packages that match the specified license. In other words, using the not in operator means “I want to mirror packages for all license types except the following”.
      For more information, see Package license information.
    3. Package Name(s) If you know the specific packages you want your channel or mirror to contain, enter their names here.
      Specifying packages by name does not automatically populate the channel with their dependencies.
    4. Include Dependencies Select this checkbox to include dependencies for the packages specified in the Package Name(s) field.
      This option must be selected to enable a dependency report download for mirrors this policy is applied to. For more information, see Download Dependency Report under Mirror actions.
    5. Other Package Criteria
      • Only Signed Packages Select this checkbox to only mirror packages that have Anaconda signatures from the source mirror.
      • Legacy Packages Select this checkbox to include .tar.bz2 package files along with .conda files for packages. This effectively doubles your required storage space.
        When this checkbox is left unselected, .tar.bz2 files are still included if they are the only ones available in the source.
    6. Date Range Instruct the policy to only include packages that were created within the range selected.
    3

    Set CVE Rules

    Set CVE rules step
    1. CVE Score Restrict packages based on their associated CVE Scores.
      Saying “I want to allow packages with a CVE score less than 7” is the same as saying “I want to block packages with a CVE score greater than or equal to 7”.
    2. The and | or operators
      • The and operator includes package files that meet all the specified criteria.
      • The or operator includes package files that meet at least one of the specified criteria.
      The and operator is more restrictive than the or operator.
    3. CVE Status Restrict packages based on their associated CVE Status.
      Package files that have a CVE status of mitigated or cleared are no longer considered to be vulnerable, even if they have a high CVE score.
    4. CVE Allowlist IDs CVEs listed here are not considered for package file filtering criteria.
      CVE names follow the format CVE-YYYY-##### (Example: CVE-2025-12345).
    For most organizations, Anaconda recommends the following CVE rules:
    Operator
    Value
    CVE Score
    less than
    7
    or
    CVE Status
    in
    mitigated cleared
    4

    Set Exclusions

    Set exclusions step
    1. Exclude Packages Enter the name of any packages you want to exclude. To list multiple packages, press the Tab key after entering each package name.
    2. Exclusion Exceptions Include specific packages that would otherwise be removed by the exclude packages filter by listing them here.
      Package exclusions and exclusion exceptions can be specified using non-exact values by including wildcard * and >/< ranges (where supported). For more information, see Package Match Specifications in the official conda documentation.
    3. CVE Status Choose to restrict packages by their CVE Status.
    For most organizations, Anaconda recommends excluding packages with a CVE Status of active, reported, or disputed.
    5

    Review

    Review the rules that your policy will enforce.
    Review policy step
  4. Click Create Policy.

Applying a policy

Policies can be applied to channels at the time of creation or by editing the channel and selecting a policy from the Assign Policy dropdown at a later time. For more information, see Create channel form.

Managing policies

Select Policies from the left-hand navigation to view all policies and see which channels and mirrors they are associated with.
View all policies page
Use the search box to locate a policy by name. You can match any part of the policy name to filter the list.
Use the Actions dropdown to manage your policies.
Policy actions menu

View Details

View a read-only version of the policy details.

Edit

Modify an existing policy using the same process as when creating a policy.

Delete

Permanently delete the policy. A warning displays if the policy is currently applied to any channels or mirrors.