Policy filters#

A policy filter is an additional security measure you can apply to a channel to restrict the available packages that can be sourced from it. You can filter packages by license family, common vulnerability and exposure (CVE) score, CVE status, package age, platform, and by using conda spec. For more information about CVE scores and status’, see Common Vulnerabilities and Exposures (CVEs).

Creating a policy filter#

  1. From the Channels page, click Create under Policy filters.

  2. Provide a unique name for your policy. Anaconda recommends making it something descriptive.

  3. In the Exclude package if section, click Add filter.

  4. In the FILTER GROUP section that appears, set filter parameters for packages you wish to exclude from channels with this policy.

  5. Click Add Filter to Group to include additional parameters for this filter group, or click Add filter to add a separate filter for this policy.

  6. Repeat this process to apply further package filtering preferences.

  7. If necessary, in the Override exclusions and include a package if section, click Add filter. Here, you can apply filters to include specific packages that would otherwise be excluded by this filter.

    Note

    You can only include packages based on conda spec.

Example policy filter

Let’s say you want to filter out packages with a CVE score greater than 7, but only if their CVE Status has not been Cleared by NIST. Your policy filter would look like this:

Applying a policy filter#

From the Channels page, click Apply for any channel, then select a policy to apply to the channel.

Once the policy is applied, the status beneath the policy will transition through the following phases:

  • In Queue

  • In Progress

  • Completed

  • Scheduled

The Scheduled status indicates the channel is set to auto-update. This means the filter will be reapplied to the channel every four hours and will update the channel’s contents accordingly.

Editing a policy filter#

Policies that are in use cannot be edited.

To edit an existing policy:

  1. Remove the policy from the channel that it was applied to.

  2. Click the Edit icon next to the policy.

  3. Change the parameters of the filter as if you were creating a new policy.

  4. Click Save.

  5. Reapply the policy to the channel.

Note

A warning icon displayed next to your filter indicates that it has become deprecated. Deprecated filters still work, but Anaconda recommends you update your policies to no longer use these filters.

Viewing the policy report#

Once you have applied a policy to a channel, you can view the Policy Report to see how many files were excluded from the channel.

From the Channels page, click the POLICY RESULTS for any channel to open the Policy Report dialog. You can view the total number of artifacts, how many have been removed, and how many remain, by platform. From here, you can download the report in .csv format or download the policy report delta.

You can also view which artifacts have been removed from a channel that has a policy applied to it.

From your organization’s Channels page, select a channel with a policy filter applied, then select a package to view the effects of your security policy. Scroll through the list to view files that have been removed from the package by a security policy and the reason for removal.

Note

Removed files are not grouped, and some packages have multiple pages of files. For packages with many files, it is best to use the filter bar to narrow results.