Blog

Two Cathedrals: Cloudsmith + GitHub

Jun 11 2024/3 min read
Picture of Alan Carson
by Alan Carson
Learn why using Cloudsmith with GitHub extends visibility, control + management beyond source code to your entire supply chain.

Before GitHub, everyone struggled to manage SVN (the “cool kid” at the time, pre-git), CVS, VSS, or, for the genuinely arcane, RCS. As a developer, there was trepidation with every check-in, hoping that nothing went wrong. Back then, source code management was held within a proverbial black box on some server you had to maintain, probably stuck under a colleague's desk in the corner.

Then, in 2008, GitHub emerged with a fully managed SaaS offering that gave developers and their teams visibility, control, and management.

Even before Cloudsmith was formed, Lee and I adopted GitHub in 2012. This was our first opportunity to move away from this insane black box, on-prem legacy so we could concentrate on the things that mattered. We never looked back.

Today, GitHub stores most of the world’s source code, both private and open source. Over the years, it has expanded its core functionality to include GitHub Actions and a limited Package Registry, among other enhancements.

Expanding Control with Cloudsmith

Cloudsmith was built to solve the same challenges of visibility, control, and management but for the software supply chain and secure delivery, including binaries, artifacts, packages, and containers. In much the same way, it brings a fully managed SaaS offering to store most of the world’s packaged code, both private and open source.

Our primary goal was to help developers and operations remove the need for an artifact registry on a legacy black box on a server you had to maintain or even think about deeply. Instead, we provided the single source of the truth for all artifacts in a fully managed cloud-native platform leveraging all of the cloud’s positive attributes, including reduced infrastructure costs and the best scalability and performance, all at the click of a button, just like GitHub.

Today, Cloudsmith proudly sits beside GitHub in our customers' tech stacks, showcasing our commitment to “works well with others” and ensuring our customers have what they need to build secure and performant pipelines, distributing source and packaged code when and where it is required, whether internally consumed, or delivered across the world.


Our integration with GitHub gives development and DevOps teams an easy and secure way to manage source code and the resulting packages through:

Single Sign-On
Use GitHub as your IdP to sign into Cloudsmith.

GitHub Actions Integration
Use our GitHub Action to publish packages to Cloudsmith across all popular formats.

OIDC Support
Use GitHub as an OIDC provider for integrated authentication and more robust security.

Security Scanning
We scan and tag your packages using scanning data sourced from GitHub's advisory databases for Hex, Java, .NET, Node.js, PHP, Python, Ruby, and Swift.

Policy Management
We work alongside GitHub and GitHub Advanced Security to protect software's ingress and egress risks.

Empowering Smarter, Safer Choices

With the advent of popularized Gen AI, there is now more than ever a wealth of data, with new ways to consume and query it. It’s an obvious next step to share that knowledge created by deep developer-interactive tooling like GitHub and lean into the knowledge Cloudsmith is capturing about the security and provenance of both open-source and closed-source software.

That’s why we launched Cloudsmith Navigator last year, to surface curated provenance information about open-source packages, powered in part by GitHub’s history of the source code. Navigator offers a glimpse into the nature of the holistic knowledge we have access to, and it’s this knowledge that forms the foundations of additional risk-based policies and controls.

A wise wizard once told me (okay, it was last weekend), “[it’s important] to bring more of the developer tools in the place where they already work.” In other words, you want to build a bridge towards existing tooling and make it easy for others to integrate rather than being isolationist and building all-in-one platforms that are anti-competitive. It makes sense to achieve genuinely “works well with others” and fits into our strategic thinking and positioning for Cloudsmith.

We believe it will take a village of partnerships, with at least two cathedrals (GitHub and Cloudsmith 🙂), to put the best guardrails in place to minimize the risks of open-source and closed-source software.  That means continuing to partner with companies that share our cooperative mission to secure software delivery, like our friends at Docker, CircleCI, Stacklok, Chainguard, and GitHub.

Watch this space.

 

Get our next blog straight to your inbox