# Policy Gates

URL: https://edu.chainguard.dev/chainguard/administration/policy-gates.md
Last Modified: May 21, 2026
Tags: Overview

Control your image updates

Policy gates enable you to filter and restrict Chainguard artifact updates. You do this by defining policies that control and restrict versions that will be pulled from Chainguard.
Note: Policy gates is currently in beta and available for testing. It is an opt-in feature. To enable it for your organization, contact your Chainguard customer success representative.
Definitions This is how policy gates uses the following terms.
Policy — A reusable rule that determines whether an image is allowed. Each policy has a name, a description, and the resource types it applies to. Policies apply to registry repositories. Binding — A link between a policy and an organization. While a binding exists, the policy is active for image pulls under that organization. Without a binding, the policy has no effect. Mode — A binding’s mode controls what happens when the policy denies an image: ENFORCE — Block the pull. DRY_RUN — Allow the pull but record the violation. The default mode for new bindings is DRY_RUN.
Usage Policy gates are managed using chainctl. System policies are shipped with the platform.
See which policies are available to your organization:
chainctl policy-gates listSee which policies are currently active:
chainctl policy-gates binding listActivate a policy in DRY_RUN mode. This example activates the “no end-of-life” artifacts policy. Chainguard recommends that you roll out policies using DRY_RUN mode first and track for a time to be certain it has the impact you intend before moving to ENFORCE.
chainctl policy-gates enable --policy=no-eol --mode=DRY_RUNPromote a policy to ENFORCE:
chainctl policy-gates enable --policy=no-eol --mode=ENFORCECheck the results of specific policies on an image, including DRY_RUN policies which wouldn’t cause the registry to block a pull:
chainctl policy-gates check cgr.dev/$ORGANIZATION/bash:latest POLICY | MODE | RESULT ----------|---------|--------- cooldown | DRY_RUN | DENIED no-eol | DRY_RUN | ALLOWEDDisable a policy:
chainctl policy-gate disable --policy=no-eolSee chainctl policy-gate --help or the chainctl reference pages for more information.