Policy filters are only available to Business and Enterprise tier customers.

A policy filter is an additional security measure you can apply to a channel to restrict the available packages that can be sourced from it. Once configured, policy filters automatically ensure that only packages that meet your organization’s security requirements are available from a given channel, eliminating the need for administrators to manually review or re-approve packages when new CVEs are reported.

Creating a policy filter

  1. From the Channels page, click Create under POLICIES.

  2. Provide a unique name for your policy. We recommend naming it something descriptive.

  3. In the Exclude package if section, click Add filter.

  4. In the FILTER GROUP section that appears, set filter parameters for packages you want to exclude.

  5. Click Add Filter to Group to include additional parameters for this filter group, or click Add filter to add a separate filter for this policy.

    Filters can be applied using either and or or logic. Click the operator to toggle between the two options.

    This operator can greatly impact which packages are excluded.

    • Using the and operator means that all filter parameters must be met by a package for it to be excluded.
    • Using the or operator means that at least one filter parameter must be met by a package for it to be excluded.

    For example, setting a filter to exclude packages with a CVE score greater than 7 and a Platform of linux-64 excludes linux-64 packages that have a CVE score greater than 7.

    However, a filter that excludes packages with a CVE score greater than 7 or a Platform of linux-64 excludes:

    • All packages that have a CVE score greater than 7
    • All linux-64 packages

  6. Repeat this process to apply further package filtering preferences.

  7. If necessary, in the Override exclusions and include a package if section, click Add filter.

    In some cases, the exclusion parameters of a policy filter might inadvertently remove packages (or dependencies) that are critical for production projects. The override filter allows administrators to add these specific packages back to the channel.

    You can apply overrides using conda spec and CVE Status.

    Be cautious when using overrides based on CVE Status! Packages contain multiple files, and each file can be associated with different CVEs. For example, let’s say you’ve set up a policy that excludes packages with a CVE Score of 8 or higher, or that have an Active CVE Status.

    Now, suppose that there is a package that contains a file that’s associated with an active CVE that has a score of 9.0, while another file in the same package is associated with a different CVE that has been cleared.

    If you override the policy to allow packages with a cleared CVE status to be pulled back into the channel, all files for that package are added back to the channel, even though one of the files is associated with an active CVE and the score exceeds the CVE score threshold you set for the policy. Because most packages contain files that are associated with CVEs that have been cleared, this can result in files that are not compliant with your security policy being added back to the channel.

Applying a policy filter

Applying a policy filter to a channel restricts the packages that are able to be sourced from it.

  1. From the Channels page, click Apply beside a channel’s name.
  2. Select a policy to apply to the channel.
  3. Click Apply to confirm.

Once the policy is applied, the status beneath the policy transitions through the following phases:

  • In Queue
  • In Progress
  • Completed
  • Scheduled

The Scheduled status indicates the channel is set to auto-update. This means the filter will be reapplied to the channel every four hours and will update the channel’s contents accordingly.

Remove the policy filter by clicking Remove Policy beside the policy name in the channel list.

Package files that have been removed from a channel due to a policy filter display the specific reasons they were excluded.

Removed files are not grouped, and some packages have multiple pages of files. For packages with many files, it is best to use the search box to narrow results.

Editing a policy filter

Policies that are currently in use cannot be edited.

  1. Select the policy name from the POLICIES list.
  2. Change the parameters of the filter as if you were creating a policy.
  3. Click Save.

A warning displayed beside your filter indicates that it has become deprecated. Deprecated filters still work, but Anaconda recommends you update your policies to no longer use these filters.

Viewing the policy report

Once you have applied a policy filter to a channel, view the Policy Report to see a breakdown of the number of package files across various platforms that have been removed, and how many remain.

From the Channels page, click the POLICY RESULTS for any channel to open the Policy Report.

From here, you can download the policy report or the policy report delta in .csv format.