# chainctl libraries policy create

URL: https://deploy-preview-3459--ornate-narwhal-088216.netlify.app/chainguard/chainctl/chainctl-docs/chainctl_libraries_policy_create.md
Last Modified: June 22, 2026
Tags: chainctl, Reference, Product

 chainctl libraries policy create Create a custom Libraries policy.
Synopsis Create a CUSTOM Libraries policy for an organization.
A policy configures the gates applied when your organization pulls upstream packages. Use &ndash;cooldown-days to quarantine newly published versions for N days (0 disables the cooldown, 1-30 sets an explicit window, omit to inherit the system default), &ndash;block to always deny a package, and &ndash;allow to let a package bypass the cooldown and/or malware gates.
Packages are identified by their package URL (purl). The purl namespace selects the ecosystem, so the same &ndash;block and &ndash;allow flags work for Python, JavaScript, and Java:
Python (PyPI) pkg:pypi/&lt;name&gt; JavaScript (npm) pkg:npm/&lt;name&gt; pkg:npm/%40&lt;scope&gt;/&lt;name&gt; (scoped packages) Java (Maven) pkg:maven/&lt;group&gt;/&lt;artifact&gt;Append a version with @ to scope an entry to a single version (for example pkg:npm/lodash@4.17.20); omit the version to match every version of the package. &ndash;block and &ndash;allow are repeatable, so a single policy may list many packages across ecosystems.
A newly created policy is inactive: activate it for an ecosystem with &ldquo;chainctl libraries policy enable&rdquo;.
chainctl libraries policy create --name NAME [--parent ORGANIZATION_NAME | ORGANIZATION_ID] [--cooldown-days N] [--block ...] [--allow ...] [flags] Examples # Block a specific package and apply a 14-day cooldown (Python / PyPI) chainctl libraries policy create --name=trusted --parent=example.com \ --cooldown-days=14 --block=purl=pkg:pypi/evil # Block specific packages across ecosystems (repeat --block per package) chainctl libraries policy create --name=blocklist --parent=example.com \ --block=purl=pkg:pypi/evil \ --block=purl=pkg:npm/left-pad \ --block=purl=pkg:maven/com.example/bad-lib # Block a single version, leaving other versions of the package allowed chainctl libraries policy create --name=pin --parent=example.com \ --block=purl=pkg:npm/lodash@4.17.20 # Allow a package to bypass the malware gate (justification required) chainctl libraries policy create --name=trusted --parent=example.com \ --allow=purl=pkg:pypi/requests,bypass-malware=true,justification=&#34;vetted internally&#34; # Allow a Java package to skip the cooldown window chainctl libraries policy create --name=trusted --parent=example.com \ --allow=purl=pkg:maven/org.apache.commons/commons-lang3,bypass-cooldown=true Options --allow stringArray A package permitted to bypass gates, as comma-separated key=value pairs: purl=&lt;package-url&gt;[,bypass-cooldown=true][,bypass-malware=true][,justification=&#34;...&#34;]. justification is required with bypass-malware. Repeatable. --block stringArray A package to always deny, as purl=&lt;package-url&gt;. The purl namespace selects the ecosystem (pkg:pypi/&lt;name&gt;, pkg:npm/&lt;name&gt;, pkg:maven/&lt;group&gt;/&lt;artifact&gt;); append @&lt;version&gt; to block a single version. Repeatable. --cooldown-days int32 The cooldown window in days (0 disables, 1-30 explicit, omit to inherit the default). (default -1) --description string The description of the policy. --name string The name of the policy. --parent string The name or id of the organization to scope the policy to. Options inherited from parent commands --api string The url of the Chainguard platform API. (default &#34;https://console-api.enforce.dev&#34;) --audience string The Chainguard token audience to request. (default &#34;https://console-api.enforce.dev&#34;) --config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly. --console string The url of the Chainguard platform Console. (default &#34;https://console.chainguard.dev&#34;) --force-color Force color output even when stdout is not a TTY. -h, --help Help for chainctl --issuer string The url of the Chainguard STS endpoint. (default &#34;https://issuer.enforce.dev&#34;) --log-level string Set the log level (debug, info) (default &#34;ERROR&#34;) -o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide] -v, --v int Set the log verbosity level. SEE ALSO chainctl libraries policy	- Manage Libraries policies.