AI Docs Bundle
Join Our Community Slack Contact
chainctl Reference

chainctl libraries policy-gate create

  2 min read
chainctl Reference Product

chainctl libraries policy-gate create

Create a custom Libraries policy.

chainctl libraries policy-gate create --name NAME [--parent ORGANIZATION_NAME | ORGANIZATION_ID] [--cooldown-days N] [--block ...] [--allow ...] [flags]

Examples 

  # Create a policy with a cooldown window and a blocked package
  chainctl libraries policy-gate create --name=trusted --parent=example.com \
  --cooldown-days=14 --block=purl=pkg:pypi/evil
  
  # Allow a package to bypass the malware gate (justification required)
  chainctl libraries policy-gate create --name=trusted --parent=example.com \
  --allow=purl=pkg:pypi/requests,bypass-malware=true,justification="vetted internally"

Options 

      --allow stringArray     An allow-list entry, formatted as comma-separated key=value pairs (e.g. purl=pkg:pypi/requests,bypass-cooldown=true,bypass-malware=true,justification="..."). Repeatable.
      --block stringArray     A block-list entry, formatted as comma-separated key=value pairs (e.g. purl=pkg:pypi/requests). Repeatable.
      --cooldown-days int32   The cooldown window in days (0 disables, 1-30 explicit, omit to inherit the default). (default -1)
      --description string    The description of the policy.
      --name string           The name of the policy.
      --parent string         The name or id of the organization to scope the policy to.

Options inherited from parent commands 

      --api string         The url of the Chainguard platform API. (default "https://console-api.enforce.dev")
      --audience string    The Chainguard token audience to request. (default "https://console-api.enforce.dev")
      --config string      A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly.
      --console string     The url of the Chainguard platform Console. (default "https://console.chainguard.dev")
      --force-color        Force color output even when stdout is not a TTY.
  -h, --help               Help for chainctl
      --issuer string      The url of the Chainguard STS endpoint. (default "https://issuer.enforce.dev")
      --log-level string   Set the log level (debug, info) (default "ERROR")
  -o, --output string      Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide]
  -v, --v int              Set the log verbosity level.

SEE ALSO

Related Articles

chainctl

chainctl Chainguard Control

  2 min read

chainctl actions

chainctl actions Interact with the Chainguard Actions product.

  1 min read

Last updated: 2026-06-10 18:28

chainctl libraries policy-gate binding update Prev   chainctl libraries policy-gate delete   Next