Software supply chain security with Cloudsmith

Safeguard your teams, customers, and reputation.

Verify every software artifact using Cloudsmith's scanning suite, package insights, and advanced policy engine. Carefully control who gets access to your software.

PagerDuty
Shopify
Font Awesome
American Airlines
ExpressVPN
PagerDuty
Shopify
Font Awesome
American Airlines
ExpressVPN

Advanced Policy Engine

Secure your teams and pipelines. Use our policy engine to interpret threat signals and automate actions.

  • Use industry standard OPA Rego to define software usage policies
  • Apply policies to packages and container flowing through Cloudsmith
  • Perform actions based on your policies
  • Make refinements based on policy logs
CVSS ScoreCVE SeverityTypeAPI keyQuality scorePackage agePackage contributionsQuarantineDeleteLast contributed toCritical Risk PolicyPublishTest policyVulnerabitiy CVE Severity - CriticalConditionsActionsVulnerabitiy CVSS Score > 6ANDORPackagesQuarantine1234567891011121314151617181920212223242526 policy
 rego.v1
max_cvss := cve_allowlist := match := match target input.v0.security_scan
 vulnerability target.Vulnerabilities
 vulnerability.VulnerabilityID cve_allowlist
 cvss vulnerability.CVSS
 cvss.V3Score > max_cvss
packageimportdefaultfalseifsomesomeininnotinsomein# check if this CVSS score is higher than the maximum allowed value# check if this CVE has been explicitly allowed# maximum allowed CVSS score# array containing IDs of CVEs that have been explicitly allowed6}{[]"CVE-2023-32681"20+ conditions & actionsCustom policy builderBuild in code
Diligent logo
Cloudsmith has transformed how we manage software, making our entire delivery process more secure and efficient.

Toshio Kenyon

Engineering Manager

Before

Diligent’s processes for managing, storing, and delivering software artifacts securely were becoming cumbersome. They needed to increase visibility, and ensure security and compliance across all their repositories.

With Cloudsmith
  • Global distribution out of the box
  • Secure artifact management
  • Usage insights & full audit trail
Results
  • Faster release cycles
  • Improved security posture
  • Scaling and replication headaches eliminated

Get control over OSS packages flowing into your teams. Proxy and cache all remote registries through Cloudsmith

  • Replace direct pulls from OSS registries with Cloudsmith
  • Apply policies and checks on OSS packages before they reach teams
  • Speed up your build times with Cloudsmith’s global availability
VulnerabilityCVE Severity - CriticalConditionsActionsVulnerabilityCVSS Score > 6PackagesQuarantine

Avoid expensive remediation. Scan for vulnerabilities before using third-party code in your applications

  • Malware scanning as standard on all plans
  • Continuous scanning for CVEs
  • Vulnerability databases updated multiple times per hour

Enable your developers and teams with fine-grained access controls

Cloudsmith provides a flexible, powerful permissions system, putting you in complete control over who can access software. You can also integrate with your identity provider to control authentication, team membership and manage the lifecycle of your users.
  • Role-based access control
  • SSO via SAML group sync
  • SCIM deprovisioning
  • Team management
  • Service bot accounts

Unlock total visibility of the software flowing to your teams and pipelines with our advanced observability suite

  • Monitor and troubleshoot by observing log data in our web app
  • Export log data from Cloudsmith for further analysis
  • Use our API to search and query for patterns of interest
Search log entriesGET200Martin Synotttensorflow/tensorflowGET403pub_tokenjunit-jupiter-apiGET200private_tokentf-training-data.zipPOST302Jack GrenouillenumpyGET200pub_tokenlodash

Build true quality controls into your software supply chain. Check packages for maintenance issues before you use them in production

  • Block poorly-maintained packages
  • Shape policies around quality control issues
super-useful-api@0.0.4Last updated14 monthsMaintainers1OpenSSF Scorecard3.6Critical CVEs2

Mitigate legal risks by blocking packages using unfriendly software licenses

  • Visualise software licences in use across your teams
  • Restrict the usage of licenses using non-compliant licenses
  • Remain in compliance and avoid costly rework
numeral@0.19.27MIT LicenseAPPROVEDreact-scripts@3.16.46GNU GPL 2.0NOT APPROVED
Software distribution
Software distribution built for global enterprises
Boost productivity and get software to teams and customers using Cloudsmith’s global package distribution network
Get started with Cloudsmith