You can now easily host signed SBOMs alongside your OCI artifacts in Cloudsmith, and use them for incident investigations and run-time protection, further securing your software supply chain.
SBOMs are fundamental to software supply chain security, so much so that the Open Source Security Foundation included "SBOMs Everywhere" as one of the 10 streams of investment for the Open Source Software Security Mobilization Plan.
SBOMs enable organizations to more easily determine if, how, and where they may be vulnerable when a new major vulnerability is discovered. Additionally, by scanning SBOMs for CVEs as part of run time, organizations can be more confident they are shipping secure software into production.
You can host your SBOM alongside your image in Cloudsmith using sigstore/cosign tooling. From there, you can incorporate SBOMs into your software supply chain workflows. We've put together an example workflow that demonstrates how to sign images; generate, attach and verify SBOMs; and continuously scan your SBOMs for new CVEs. The example leverages open source software and Cloudsmith as the container registry.
Check out our example repository here.
Ready to get started?
At Cloudsmith, our mission is to be the universal package management solution for teams and enterprises. As a result, we continually expand and improve the package formats we support. We are delighted to be able to introduce support for public and private Conda package repositories. You can now securely host your Conda packages alongside other pac…
We're very pleased to announce that Ruby is the latest package format to support upstream caching and proxying. This feature is currently in Invitational Beta. If you are interested in being an early tester, email us at support@cloudsmith.com and we’ll get you access. With upstream proxying, Cloudsmith will allow Ruby clients configured to use yo…
Pricing has changed across all paid plans (Free/OSS not affected); however, significant features have been moved down (or added). We did it to build a better Cloudsmith. You may find a better fit at a lower or higher tier, so view your subscription page (you need to be logged in, and an org admin) to see the differences. We wanted to take the time…
This is a heads up for our Debian users! As of today, we have updated our repository setup script and documentation to no longer rely on the recently deprecated apt-key binary. What does this mean? The apt-key binary was previously used within the Cloudsmith setup script for Debian systems to install the repository GPG key to the system keyring.…
Good news! We've added support for Cosign to the Cloudsmith OCI registry. Cosign is part of the open-source project sigstore, which makes it easy for developers to sign releases and for users to verify them. With this integration, Cloudsmith customers can sign OCI artifacts using Cosign, and push the generated signature into Cloudsmith to be store…
We're excited to announce that Cloudsmith now supports Conda packages. Conda is a cross-platform, language-agnostic binary package manager. It is the package manager used by Anaconda installations. Cloudsmith provides support for both public and private repositories for Conda. Cloudsmith's support for Conda is currently in Invitational Beta. If yo…
By submitting this form, you agree to our privacy policy
