JFrog Curation for Closed Environments: How to Block Malicious Packages Before They Enter Your Code

Getting your Trinity Audio player ready...

Modern organizations build almost every product based on open-source code and third-party dependencies. This accelerates development, but also introduces a dimension of risk: malicious packages (malware), versions with critical security vulnerabilities, licensing issues, or immature and unmaintained dependencies.

In most cases, traditional security tools encounter the component only after it has already entered the repository, build, or pipeline.

This is exactly where JFrog Curation comes into the picture: Instead of discovering after the fact that a dangerous component has already entered the organization,
JFrog Curation acts at the point of request and download of the package, blocking problematic components before they become part of the code, build, or application.

What is the JFrog Curation Package and what does it provide?

JFrog Curation is a governance and policy enforcement layer for consuming open-source packages and third-party dependencies. You can think of it as a “gateway” for external packages: Instead of every dependency automatically entering the environment, the organization defines rules that dictate which packages are allowed to be downloaded, which should be blocked, and which require further inspection.

The solution allows, among other things, to:

1. Block packages flagged as malicious.
2. Block versions with security vulnerabilities based on severity level or organizational policy.
3. Enforce licensing policies.
4. Restrict the use of overly old, immature, or unmaintained packages.
5. Apply an allowlist and blocklist according to organizational needs.
6. Generate an organized audit trail for every block or approval decision.

The business implication is clear: less reliance on manual decisions, lower risk of dangerous components entering, and more control over the software supply chain.

How does JFrog Curation work in a Self-Hosted / Self-Managed environment?

In independently managed on-premises / Self-Hosted environments, JFrog Curation integrates with the JFrog platform, and specifically with Artifactory and Xray.

The model is relatively simple:

1. Developers pull packages through Artifactory (during builds, etc.).
2. JFrog Curation checks the request against the organization’s policy.
3. If the package meets the conditions (policies) – it is allowed for download.
4. If the package violates the policy, access is blocked before the component enters the environment.

In other words, instead of settling for a post-download scan, the organization gets a prevention mechanism right at the entry stage.

This is a fundamental shift: less “cleaning up after,” more upfront prevention.

What actually happens during a package request?

When a developer, pipeline, or build requests a dependency through an organizational repository, the system checks whether the package:

• Has been identified as a malicious package.
• Contains security vulnerabilities according to the policy.
• Violates a licensing policy.
• Does not comply with other internal rules defined by the organization.

If any of these conditions are met, the download can be blocked.

In some scenarios, it’s also possible to enable automatic selection of a more compliant version, rather than failing the entire process.

How does JFrog Curation work in an Air-Gapped environment?

In Air-Gapped environments, the challenge is different: there is no direct internet connection, so you cannot rely on open access to public repositories.

Thus it is common to work with a controlled process where dependencies are pulled into an external zone or DMZ, inspected and approved, and only then promoted inward into the isolated environment.

In this model, JFrog Curation integrates as part of the control mechanism:

• External components are first pulled into a controlled environment.
• The components undergo scanning, policy checks, and curation.
• Only approved packages are promoted inward to the internal repositories.
• Within the isolated environment, work continues only with components that have already been approved.

This way, organizations operating in isolated networks can also enjoy strict governance over open-source packages without exposing the environment itself to the internet.

How does JFrog Curation prevent malicious packages from entering the code and application?

One of the biggest advantages of JFrog Curation is that it doesn’t wait for the problem to appear in production.

Instead, it helps identify and block dangerous packages before they are consumed by developers or CI/CD processes.

This includes protection against scenarios such as:

• Malicious packages intentionally uploaded to public repositories.
• Typosquatting – packages with a name similar to a legitimate package.
• Dependency confusion.
• Versions with dangerous code or suspicious behavior.
• Vulnerable versions with known weaknesses.

The practical implication is that the organization reduces the chance of a malicious component entering the build, being embedded in the application, and subsequently reaching testing or production environments.

How does JFrog Curation improve security and protect the environment?

The contribution of JFrog Curation doesn’t end just at blocking malicious packages. It improves the overall level of protection across several layers:

1. Early prevention instead of late response

Instead of discovering a dangerous component after it has already entered the organization, the block occurs during the consumption stage.

2. Reducing the attack surface

The fewer problematic components enter, the lower the risk of exploitation, data leaks, or supply chain compromises.

3. Uniform policy enforcement

All development teams, across all projects, work according to the same rules. This is especially important in large or decentralized organizations.

4. Improving compliance

Beyond security, you can also enforce licensing, use of approved versions, and internal policies regarding allowed and forbidden components.

5. Transparency and control

With an organized audit trail, you can understand who requested what, what was blocked, what was approved, and why each decision was made.

What about licensing and pricing?

JFrog’s Curation solution is a paid feature, and it is usually part of a broader governance and software supply chain security solution.

The cost of Curation depends on the number of users, licensing type, scope of use/deployment, and more. For accurate pricing and quotes, you can contact us (details below).

How does JFrog Curation save money and how do you measure ROI?

Coming soon
(In the meantime, you can contact us via email for more details)

In Summary:

JFrog Curation gives organizations a practical way to stop managing open-source risks only in hindsight, and start enforcing policies right at the stage where the component enters the environment. For organizations with Self-Hosted or Air-Gapped setups, this is a significant move to improve security, reduce supply chain risks, strengthen compliance, and lower operational costs over time.

Instead of detecting problems only after they are already inside, you can stop them in advance.

ALM Toolbox is the official representative of JFrog, providing support and licensing for JFrog solutions, including Artifactory, Xray, Curation, and more, as well as infrastructural DevOps and DevSecOps / AppSec assistance for building a secure supply chain for secure code and application builds, and integration into development processes (SDLC / ALM) and development tools.
For more details, you can contact us: jfrog@almtoolbox.com or by phone at 072-240-5222

Frequently Asked Questions (FAQ) about JFrog Curation:

This article was written by Tamir Gefen, ALM Toolbox.