Package Traffic Controller (PTC)
Learn how JFrog Package Traffic Controller (PTC) intercepts public package traffic via Zscaler and routes it through Artifactory for Curation policy and audit.
Even with Artifactory in place, developers and AI coding agents can still download packages directly from public registries. That bypass creates incomplete audit coverage and limits where JFrog Curation policies apply.
New to PTC? Start with PTC Quick Start for a concise end-to-end walkthrough, then use the pages below for detailed configuration and troubleshooting.
JFrog Package Traffic Controller (PTC) addresses this at the network layer. PTC integrates with Zscaler Internet Access (ZIA) to intercept matching package traffic and redirect it through Artifactory, so policy checks and logging happen in one governed path while developers keep using their normal package manager commands.
The result is an auditable software supply chain for intercepted package traffic, with Curation enforcement on configured repositories and package activity recorded in Artifactory.
The technical entry point is the package-reroute service (Router path /package-reroute, REST API under /artifactory/api/package-reroute/). Any process on a configured workstation — with ZCC, the trust store, and ZIA policies in place — is governed the same way, whether it originates from a human developer or an AI coding agent.
Important — PTC requires a remote repository: The Package Reroute
repo_keymust point to a remote repository. Virtual repositories are not supported as the PTCrepo_key. This keeps PTC configuration aligned to the upstream-facing repository used for consumption tracking and Curation behavior.
Public Versus Private Packages
PTC is intended for public packages from public registries.
The redirect path to Artifactory is anonymous on first hop and does not carry each developer's registry credentials. If a package requires end-user authentication to the public registry host (for example private npm scopes), redirect alone is not sufficient.
For packages that require client-presented credentials, point the package manager to your Artifactory virtual URL and configure client-side tokens (for example .npmrc or pip config).
Supported Package Types (GA)
The following ecosystems are supported for PTC. For detailed client guidance, see Configuration by Package Type.
- npm — supported clients: npm, pnpm, and yarn
- Python (PyPI) — supported clients: pip, pipenv, Poetry, and uv
- Docker and OCI — Container images and trust configuration. JFrog-validated engines, CLIs, and tools are listed under Docker and OCI, Hugging Face, and Other Types. Podman is not supported for PTC in this documentation.
- Hugging Face — See Docker and OCI, Hugging Face, and Other Types
Supported Workstation Operating Systems
- Windows
- macOS
- Linux
Install scripts, certificate placement, and environment variables are maintained in the scripts/ README.
Supported SASE and Edge Security
PTC currently integrates with Zscaler Internet Access (ZIA) with Zscaler Client Connector on the workstation.
How It Works
sequenceDiagram
participant Dev as DeveloperMachine_ZCC
participant ZIA as Zscaler_ZIA
participant AF as JFrog_Artifactory
participant Repo as NPM_Repository
participant Cur as CurationEngine
participant Pub as PublicRegistry
Dev->>ZIA: npm install GET registry.npmjs.org/package
ZIA->>ZIA: SSL Inspection and URL Match
ZIA-->>Dev: HTTP 307 Redirect to Artifactory
Dev->>AF: Follow redirect to /package-reroute
AF-->>Dev: Redirect to NPM Repository
Dev->>Repo: Request package
Repo->>Cur: Check curation policies
alt Package Approved
Cur-->>Repo: Approved
Repo->>Pub: Fetch package
Pub-->>Repo: Return package
Repo-->>Dev: Package delivered
else Package Blocked
Cur-->>Dev: Policy violation error
end
The sequence diagram illustrates the path when JFrog Curation is enabled on the remote that resolves the package. If Curation is not enabled for that repository, the Repo → CurationEngine steps and the approve/block branch do not occur.
Step-by-Step Flow
- ZIA redirects matching package traffic through
/package-reroute. - Artifactory resolves requests through the configured remote repository.
- Complete setup and validation steps in Configure Artifactory for PTC and Configure Zscaler ZIA.
A typical redirect format is:
<YOUR_ARTIFACTORY_URL>/package-reroute?url=https%3A%2F%2Fregistry.npmjs.org%2Fexpress(The url value is percent-encoded in real redirects and in curl tests. See Step 5: Verify the Redirect Endpoint.)
Scoped Versus Unscoped Deployment
You can apply PTC to everyone who hits the configured registries, or scope it to selected users or groups with ZIA rules. Group construction, identity membership, and policy precedence are managed in Zscaler.
Rollout recommendation: JFrog recommends a gradual rollout using scoped rules first (pilot or departmental Groups), then expanding. See Gradual Rollout Recommendation. The ZIA Groups filter is the standard way to keep blast radius small until you are ready for organization-wide coverage.
Unscoped (Organization-Wide): All users' traffic matching the URL category is intercepted and redirected. SSL inspection and URL filtering rules apply globally (subject to your other ZIA policies).
Scoped (Group-Specific, ZIA): Both the SSL Inspection rule and the URL Filtering rule include a Zscaler Groups filter (e.g., "R&D"). This means:
| User Group | Action | Result |
|---|---|---|
R&D User runs npm install | Intercepted | Zscaler decrypts and redirects requests to JFrog Artifactory |
Other User runs npm install | Ignored | Traffic flows directly to registry.npmjs.org via default ZIA policy |
Document Map
| Topic | Page |
|---|---|
| PTC Quick Start (end-to-end walkthrough) | PTC Quick Start |
| Deployment Sequence and Gradual Rollout | Deployment and Rollout |
| Prerequisites and Installation Script | Prerequisites and Installation Script |
| JFrog Artifactory Configuration | Configure Artifactory for PTC |
| Zscaler ZIA Configuration Guide | Configure Zscaler ZIA |
| Configuration API | Package Reroute Config API |
| Configuration by Package Type | Configuration by Package Type |
| Known Limitations and Troubleshooting | Limitations and Troubleshooting |
Frequently Asked Questions
This section provides answers to frequently asked questions about Package Traffic Controller (PTC).
FAQs
Q: What is JFrog Package Traffic Controller (PTC)?
A: PTC integrates Zscaler Internet Access with JFrog Artifactory to intercept outbound public registry traffic and route it through Artifactory before packages reach developers. JFrog Curation policies and audit logging can apply to that traffic without changing package manager commands.
Q: What do I need before deploying PTC?
A: You need JFrog Artifactory with Package Reroute configured, Zscaler Client Connector on workstations, trust for the Zscaler CA per package client, and ZIA rules in the order described in Deployment and Rollout. See Prerequisites for the full checklist.
Q: Does PTC work with private or scoped npm packages?
A: The anonymous Zscaler redirect path is intended for public packages from public registries. For private or scoped packages that require client credentials, point the package manager at your Artifactory virtual URL with tokens instead of relying on redirect alone. See Public Versus Private Packages.
Q: Why must ZIA redirect rules exclude POST requests?
A: Commands such as npm audit use POST to registry hosts. Redirecting POST breaks those commands. Configure URL filtering to allow only GET and HEAD for registry traffic, as described in Configure Zscaler ZIA.
Q: Can I roll out PTC to a pilot group first?
A: Yes. Use Zscaler Groups on SSL inspection and URL filtering rules, and phase package ecosystems in the URL category. JFrog recommends this approach. See Gradual Rollout Recommendation.
Related Topics
Updated 7 days ago