diff --git a/roles/koji_builder/templates/kojid.conf b/roles/koji_builder/templates/kojid.conf
index a99f6679a0..c8680088b6 100644
--- a/roles/koji_builder/templates/kojid.conf
+++ b/roles/koji_builder/templates/kojid.conf
@@ -76,53 +76,9 @@ server={{koji_server_url}}
 pkgurl=http://kojipkgs.stg.fedoraproject.org/packages
 {% endif %}
 
-{% if env == 'staging' %}
-; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
-allowed_scms=
-    !src.stg.fedoraproject.org:/pagure/fork/*
-    !src.stg.fedoraproject.org:/pagure/forks/*
-    !pkgs.stg.fedoraproject.org:/pagure/fork/*
-    !pkgs.stg.fedoraproject.org:/pagure/forks/*
-    !src.stg.fedoraproject.org:/fork/*
-    !src.stg.fedoraproject.org:/forks/*
-    !src.stg.fedoraproject.org:/cgit/*
-    src.stg.fedoraproject.org:/container/*:false
-    src.stg.fedoraproject.org:/flatpaks/*:false
-    src.stg.fedoraproject.org:/git/rpms/*:false:fedpkg,sources
-    !src.stg.fedoraproject.org:/git/*
-    !pkgs.stg.fedoraproject.org:/fork/*
-    !pkgs.stg.fedoraproject.org:/forks/*
-    !pkgs.stg.fedoraproject.org:/cgit/*
-    !pkgs.stg.fedoraproject.org:/git/*
-    pkgs.stg.fedoraproject.org:/container/*:false
-    pkgs.stg.fedoraproject.org:/flatpaks/*:false
-    pkgs.stg.fedoraproject.org:/rpms/*:false:fedpkg,sources
-    pkgs.stg.fedoraproject.org:/*:false:fedpkg,sources
-    src.stg.fedoraproject.org:/*:false:fedpkg,sources
-    pkgs.fedoraproject.org:/rpms/*:false:fedpkg,sources
-    pkgs.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fedora-kickstarts.git:false
-    src.fedoraproject.org:/*:false:fedpkg,sources
-{% else %}
-; A whitespace-separated list of hostname:repository pairs that kojid is authorized to checkout from (no quotes)
-allowed_scms=
-    !src.fedoraproject.org:/pagure/fork/*
-    !src.fedoraproject.org:/pagure/forks/*
-    !pkgs.fedoraproject.org:/pagure/fork/*
-    !pkgs.fedoraproject.org:/pagure/forks/*
-    !src.fedoraproject.org:/fork/*
-    !src.fedoraproject.org:/forks/*
-    !src.fedoraproject.org:/cgit/*
-    !src.fedoraproject.org:/git/*
-    !pkgs.fedoraproject.org:/fork/*
-    !pkgs.fedoraproject.org:/forks/*
-    !pkgs.fedoraproject.org:/cgit/*
-    !pkgs.fedoraproject.org:/git/*
-    pkgs.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fedora-kickstarts.git:false
-    src.fedoraproject.org:/*:false:fedpkg,sources
-    pagure.io:/fork/*/fedora-kickstarts.git:false
-{% endif %}
+# everything related to allowed scms is now defined at hub
+allowed_scms_use_config = false
+allowed_scms_use_policy = true
 
 ; allow tasks to continue to completion if a sibling fails
 ; the parent task will fail but all child tasks will complete
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index bcaf783377..65bcdab1a8 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -203,16 +203,45 @@ sidetag =
     all :: deny
 
 {% if env == "staging" %}
-# Policy for building scratch builds
 build_from_scm =
-    # allow scratch build for anything from anywhere
-    bool scratch :: allow
-    # allow to build from forks
-    match scm_type GIT GIT+SSH && match scm_host src.fedoraproject.org/forks/* :: allow
-{% endif %}
-
-scm =
-      # allow scratch builds from any commits
-      bool scratch :: allow
-      match_all branches * !! deny Commit must be present on some branch
-      all :: allow
+    match scm_host src.stg.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.stg.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.fedoraproject.org && match scm_repository /* :: allow fedpkg sources
+    match scm_host pagure.io && match scm_repository /fedora-kickstarts.git :: allow
+    match scm_host src.fedoraproject.org :: allow fedpkg sources
+    all :: deny
+{% else %}
+build_from_scm =
+    match scm_host src.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pkgs.fedoraproject.org :: {
+        bool scratch :: fedpkg sources
+        match scm_repository /rpms/* :: fedpkg sources
+        match scm_repository /modules/* :: fedpkg sources
+        match scm_repository /containers/* :: fedpkg sources
+        match scm_repository /flatpaks/* :: fedpkg sources
+    }
+    match scm_host pagure.io :: {
+        bool scratch :: allow
+        match scm_repository /fedora-kickstarts.git :: allow
+        match scm_repository /fork/*/fedora-kickstarts.git :: allow
+    }
+    all :: deny
+{%endif}