Enhance Security with Chainguard and Cloudsmith

Jun 24 2024/3 min read
Picture of Ciara Carey
by Ciara Carey

At Cloudsmith, we are excited to announce our support for the Chainguard Registry as an upstream source. By consolidating all your artifacts, packages, and now Chainguard Images into Cloudsmith, your organization can:

  • Reduce risk of attack with no/low vulnerability base images provided by Chainguard.
  • Effortlessly deploy and distribute your packages and third-party dependencies using Cloudsmith's global content delivery network for optimal performance.
  • Ensure compliance and security by establishing and enforcing rules on dependencies with Cloudsmith’s policy manager.
  • Safeguard your workflows from disruptions caused by the removal of dependencies or outages in public repositories.

Integrating the Chainguard Registry as an upstream resource in your Cloudsmith account not only enhances security but also boosts efficiency in your artifact management workflow.

About Chainguard

Chainguard, a Docker Verified Publisher, offers Chainguard Images which are a collection of minimal, hardened container images with impressive features:

  • Zero CVEs
  • Includes SBOMs and signatures
  • Minimal, containing only the application and its runtime dependencies

Using these images as your base images will drastically reduce vulnerabilities and image attack surface, saving your organization time spent triaging CVEs.

Chainguard offers both a Public Registry ( containing developer images and a Private/Dedicated Registry ( which includes all versioned tags of an image and special images not available in the public registry (including FIPS images and other custom builds).

Organizations using Cloudsmith with Chainguard will immediately realize developer efficiencies, unparalleled performance, and reduced risk by having Chainguard images managed directly in Cloudsmith.

Upstream Proxying and Caching

Cloudsmith's upstream proxying and caching capabilities offer a powerful solution for managing dependencies and enhancing security in your software development process.

Upstream Proxying

With upstream proxying, package managers (e.g., Docker, npm, pip) recognize packages and images stored on remote repositories (e.g., Chainguard Image Registry, Docker Hub, npm, or PyPI) as part of the Cloudsmith repository. This consolidation transforms Cloudsmith into your single contact for all third-party dependencies, simplifying your organization's build systems and eliminating the need for multiple integrations.


Cloudsmith excels at locating, downloading, and securely storing dependencies within its environment, ensuring optimal performance and control for your organization. Caching your upstream dependencies in Cloudsmith offers several benefits:

  • Accelerates delivery of your packages, including third-party dependencies, through Cloudsmith's global content delivery network.
  • Shields your workflows from public repository outages.
  • Prevents disruption if dependencies are removed from external repositories.
  • Minimizes exposure to risk by providing access only to dependencies with acceptable vulnerability levels and license types through fine-grained rules enforced by the Cloudsmith policy manager.

Cloudsmith's upstream proxying and caching can streamline your organization’s development processes, enhance performance, and maintain control over your dependency management workflows.

Check out our documentation on getting started with proxying and caching with Cloudsmith.

Adding Chainguard as an Upstream

Here's how you can integrate the Chainguard Registry into your Cloudsmith account:

Create a Repository: If you haven't already, create a repository in Cloudsmith where you'll publish your package. Note down the Docker registry URL, which should resemble:

  1. Configure Upstream Proxying:
    • In your Cloudsmith repository, go to the Upstream Proxying settings.
    • Click the green "Create Upstream" button and select the Docker format.
    • Provide a descriptive name for the upstream, e.g., Chainguard Public, and specify the URL for the Chainguard Registry.
    • Enter the Chainguard Registry URL:
      • For Chainguard’s public images:
      • For Chainguard’s Private/Dedicated Registry:
    • Set the desired priority.
    • Choose Proxy or Cache and Proxy: Decide whether you want to just proxy requests through to Chainguard or also cache resolved assets in Cloudsmith for future use.
    • Configure SSL Certificate Verification: Ensure SSL certificates are verified for added security, especially for public sources.
    • Authentication and Headers: If you are using the private URL, Chainguard requires authentication or additional headers; provide them in the respective fields.

Pull a Chainguard Image with Docker Native Tooling

Here’s an example of how you would pull the nginx Chainguard Docker image into Cloudsmith after you’ve configured your Cloudsmith upstream for Chainguard:

  1. Configure your Cloudsmith upstream for Chainguard using the instructions above.
  2. Ensure Docker is installed on your system. If not, go here to get started with Docker.
  3. Open a terminal.
  4. Login to Docker with your Cloudsmith username and token, with the command: docker login
  5. Pull the latest Chainguard nginx image by running: docker pull
    Note: Replace ORGANIZATION and REPOSITORY with your Cloudsmith organization and repository, respectively.
  6. Check your Cloudsmith repository to find the newly added Chainguard nginx image.

Integrating the Chainguard Registry as an upstream in your Cloudsmith account not only enhances security but also boosts efficiency in your artifact management workflow. Embrace this integration today to unlock a new level of reliability and control in your development process.

Get our next blog straight to your inbox