The team at Cloudsmith is always looking for ways our customers and community can leverage adjacent technologies within the DevOps and application development ecosystem to secure the software supply chain. Cloudsmith developed the first integration with Datadog, the Cloud Monitoring as a Service solution, a few years ago! That integration was the first step in helping the community leverage both solutions simultaneously, strength for strength. We are excited to introduce the latest enhancement to the community integration, Security Scanning and Audit Logs.
In the initial release, Ciara Carey published a blog post describing the integration between Datadog and Cloudsmith and how it allows developers to monitor the health and performance of their software packages by highlighting the most common metrics, all from the Datadog UI. The initially supported metrics are detailed below:
- Storage Used - The percentage of storage used
- Bandwidth Used - The percentage of bandwidth used
- Token Count - The number of token in an organization
- Token Bandwidth Used - The total bandwidth used by tokens
- Token Download Total - The total downloads used by tokens
Next Steps and Expanding Scope
During the January 2023 Cloudsmith Webinar, the discussion covered a variety of topics but some of the overarching themes were reducing complexity and security. These themes are popular amongst developers, and Cloudsmith is committed to building meaningful solutions for our great customers and community. The next step in this journey is providing additional Cloudsmith visibility in Datadog.
Vulnerability Scanning
Cloudsmith Vulnerability Scanning will automatically scan supported package types for CVEs upon package upload. As you can see from the image above, all results from this capability can now be seen via the Datadog dashboard. This is in addition to existing capabilities within the Cloudsmith Web UI, the Cloudsmith API, and as Webhooks. The Cloudsmith Security Scan drives other actions including quarantining a package, preventing users and systems from downloading the compromised package.
Audit Logs
The audit logs feature allows you to monitor all activity performed by the system, users or services in Cloudsmith, including creating or deleting a repository, modifications to repository settings, package deletions and quarantines, and more. Now alerts can be set up in Datadog based on the audit log data to receive notifications when suspicious activity is detected.
Conclusion
The addition of vulnerability scanning and audit logs to the Datadog-Cloudsmith integration provides developers with even more tools to monitor the health and security of their software packages. One of the biggest challenges developers and teams are struggling with is tooling or screen fatigue. By combining these features with Datadog's monitoring capabilities, developers can stay on top of any issues and ensure their packages are secure and reliable within the tool or screen that makes the most sense to them.
For the initial setup instructions for the Datadog-Cloudsmith integration, please refer to our previous blog post.