Policy filters

A policy filter is an additional security measure you can apply to a channel to restrict the available packages that can be sourced from it. You can filter packages by license, common vulnerability and exposure (CVE) score, CVE status, package age, and by using conda spec. For more information about CVE scores and status’, see Common Vulnerabilities and Exposures (CVEs).

On this page:

Creating a policy filter

  1. From the Channels page, click the plus plus icon next to Policy filters.

    ../../../_images/ab_create_policy.png

  2. Provide a unique name for your policy.

  3. In the Exclude package if section, click Add filter.

  4. In the Filter group section that appears, set filter details for packages you wish to exclude from channels with this policy.

  5. Repeat the two previous steps to apply further package filtering preferences.

  6. In the Override exclusions and include a package if section, click Add filter. Here, you can apply filters to include specific packages that would otherwise be excluded by your filters in the previous section.

Example policy filter

Let’s say you want to filter out packages with a CVE score greater than 7 but include those packages with a score greater than 7 if and only if their CVE status is cleared by NIST. Your policy filter would look like the following:

../../../_images/ab_policy_filter_dialog.png

Applying a policy filter

In the Active policy column, click the Apply policy dropdown, then select a policy to apply to the channel.

Once the policy is applied, the status beneath the policy will transition through the following phases:

  • In Queue
  • In Progress
  • Completed
  • Scheduled

The Scheduled status indicates the channel is set to auto-update. This means the filter will be reapplied to the channel every four hours and will update the channel’s contents accordingly.

Editing a policy filter

Policies that are in use cannot be edited. If you wish to edit an existing policy, you must temporarily remove it from the channel it is applied to. You can change the parameters of the filter as if you were creating a new policy.

Note

A warning warning icon displayed next to your filter indicates that it has become deprecated. Deprecated filters still work, but Anaconda recommends you update your policies to no longer use these filters.

Viewing removed artifacts

In the Artifacts removed column, click View report beneath the artifact count to open the Policy report dialog. You can then view the total number of artifacts, those that have been removed, and those remaining, by platform. This report can be downloaded in .csv format.

../../../_images/ab_artifacts_removed.png

You can also view which artifacts have been removed from a channel that has a policy applied to it.

From your organization’s Channels page, select a channel with a policy filter applied, then select a package to view the affects of your security policy. Scroll through the list to view files that have been removed from the package by a security policy.

../../../_images/ab_channel_artifacts_removed.png

Note

Removed files are not grouped, and some packages have multiple pages of files. For packages with many files, it is best to use the filter bar to narrow results.