By submitting this form, you agree to our 

Containers have been with us for a while and are ubiquitous in the Secure Software Development Life Cycle (SSDLC). According to some reports, 

 use containers for most or all of their production applications. It’s no surprise really, as containers provide consistency and standardization across the lifecycle while speeding up delivery pipelines. They revolutionized how we develop and deploy apps in the cloud and there is no sign of this changing anytime soon.

Like any part of the SSDLC, containers have security risks and can be breached. This can be due to misconfiguration of the containers, inherent vulnerabilities in the contained software, like missed OS patches, or vulnerabilities in the runtime code. These can manifest in various ways, but some common ones are vulnerabilities that provide root access to the OS, turn off security features, execute malicious code at run time, or run phantom processes silently in the background. And these breaches do happen. The most famous container breach is still the 2018 Tesla breach, where it was reported that hackers read AWS credentials from the breached containers and therefore gained further infrastructure access, allegedly launching cryptojacking operations using that infrastructure. So, with nearly 60% of organizations using containers in production, it's great to hear about Docker’s Hardened Images being announced last week.

 and records 11 billion pull actions on these images each month. Previously, they released Docker Official Images to provide confidence in the provenance of the images, SBOM support to give transparency on contents and Docker Scout for real-time insights. This focus on security has evolved again into Docker Hardened Images.

A hardened image is a container image prepared to reduce Common Vulnerabilities and Exposures (CVEs).

Ensuring they provide the core functions required

Reducing the target area for attacks by removing up to 95% of the contents

Providing a curation and governance process for images

The provenance and curation of these images should give organizations and developers confidence. Knowing that images will be checked and kept up to date by a reputable source like Docker can only be reassuring. However, the security of containers and images doesn’t stop here. At Cloudsmith, we are delighted to partner with Docker on this launch, as we know we can add more to securing container usage together.

The above image shows a typical example of how this works in practice. An organization’s CI/CD pipeline is configured to use Cloudsmith as a private registry for its artifacts, including container images. When a build is triggered during development, the CI/CD tooling requests the container image(s) it needs.

With an upstream proxy for container images configured, Cloudsmith will fetch the image(s) from Docker Hub. It is at this stage where a verifiable, trusted Docker Hardened Image can be fetched. There is no extra configuration required in Cloudsmith, so users can benefit from using these images right away. Pulling a Docker Hardened Image is the same as fetching any other image from Docker Hub. Maximum security and trust is built into the raw image. For customers that have specific compliance or security requirements, Cloudsmith will also enforce policies around licensing and vulnerabilities. 

See: link to enterprise policy management blog

. This ensures that organizations have the right blend of security at source and the flexibility to map to their own requirements.

How do organizations ensure developers use these images during code creation and the deployment lifecycle? Cloudsmith is already used by organizations worldwide for their Docker registries, and our advanced features provide tools built for global teams.

Our cloud native, global availability means an organization’s registries are available wherever its teams are. Policy creation and enforcement provide granular access to private and public images, ensuring a source of truth for the organization’s images and providing visibility to its security teams. We also support CI/CD workflows, meaning the organization can confidently see what is being promoted to production.

With seamless integration and zero tradeoffs between speed and compliance, combining the peace of mind provided by Docker Hardened Images with Cloudsmith’s Docker registry support and functions can produce even greater governance and confidence.

That's why we are delighted to collaborate with Docker for this launch, securing the software supply chain further than ever before.

Want to learn how to secure your software supply chain end-to-end?

Watch our webinar next week for an in-depth discussion on container security, hardened images, SBOMs, and how to build a zero-trust artifact lifecycle. 

 and get actionable insights from Docker and Cloudsmith experts.

Jack Gibson

Senior Software Engineer

Securing Containers at Scale: Docker Hardened Images + Cloudsmith

Yet another supply chain attack has surfaced, this time using the xrpl library to sneak through malicious packages. 

 is recognised as the recommended npm library for integrating the 

 with JavaScript/TypeScript applications, and has over 140k downloads a week.

Our security team quickly responded to this threat and found that no Cloudsmith customers are currently using any of the affected versions.

The attack strategy was to introduce five suspect versions of the library, masquerading as genuine releases. They inserted a crypto-stealing backdoor by adding malicious code that could leak private keys and silently sign fraudulent transactions.

npmjs have recently released version 4.2.5, which overrides the compromised versions.

 can get a full and detailed description of the attack from Charlie Eriksen at 

XRP supply chain attack: Official NPM package infected with crypto stealing backdoor.

The vulnerability is logged with the CVE Dictionary Entry of 

XRPL Dependencies - A Critical Security Risk

The XRPL is a Layer 1 blockchain built for payments and asset transfers. Layer 1 blockchain is the foundational infrastructure of a blockchain. This is where core functions are handled, such as validating transactions, securing the network, and ensuring consensus around transactions and ownership.

The XRPL is used by financial institutions, fintech companies, developers, and startups, mostly for payments, asset tokenization, and building lightweight financial applications.

A supply chain attack on a package integrating with the XRPL can have serious implications. It could expose private keys, hijack transactions, or leak sensitive data, without compromising the ledger itself. If xrpl.js is compromised, any apps using it could unknowingly sign malicious transactions or leak user information, which could result in stolen funds. XRPL dependencies are critical to security.

Any security features can and should be tested against real-world threats. Cloudsmith’s Enterprise Policy Management (EPM) includes policy-as-code, meaning custom policies can be written against precise requirements to block known exploits.

For the xrpl.js attack, we know the bogus versions, so it’s easy to write Rego code that checks your repository against the known versions. Cloudsmith can then quarantine the packages if there’s a match against npm packages named xrpl:

 information on setting up and configuring policy code, see 

Enterprise Policy Management Example: Quarantine Packages Using Policy as Code

smith and see how it can stop supply chain attacks.

Ian Taylor

Tech Content Director

XRPL Supply Chain Attack and How to Block it Using Cloudsmith’s Enterprise Policy Management

As more teams rely on public repositories in their software supply chain, the dependency chain has become both a critical foundation and a potential blind spot. Dependency chain abuse is not new, but a growing list of attack vectors - like typosquatting, dependency confusion, and now slopsquatting - means security leaders need to respond quickly as attackers adopt new techniques.

Let’s take a look at how dependency chain abuse works, why it’s growing more dangerous in the age of GenAI, and what you can do to protect your supply chain.

Dependency chain abuse refers to a broad set of attacks that exploit how software dependencies are sourced and managed - whether accessed during development, within CI/CD pipelines, or across runtime environments. Attackers can manipulate the package retrieval process, tricking systems into installing malicious software that poses as a legitimate dependency.

Most development teams rely on a mix of internal registries (like Cloudsmith) and public ecosystems like 

, etc. But this open and distributed model creates a porous perimeter. A single unverified or malicious package could potentially lead to:

Compromising the entire software supply chain

Classic Dependency Chain Abuse in the Wild

 documentation cites some of the better-known ways attackers exploit dependencies:

 Dependency Confusion Uploading malicious packages to public repositories with names matching private ones. Dependency Hijacking Gaining control of a maintainer’s account to inject malware into popular packages. Typosquatting Using misspelled or lookalike package names to trick developers. Brandjacking Imitating trusted organizational naming conventions to gain developer trust.

These methods rely on lapses in developer vigilance or CI/CD misconfigurations - but now there’s a new adversary for compliance teams: GenAI.

 is a novel attack vector that exploits a well-known weakness of generative AI systems: their tendency to "

" - that is, to produce plausible but incorrect or fabricated information - especially when generating code..

A Comprehensive Analysis of Package Hallucinations by Code-Generating LLMs

, examined 16 popular large language models using two distinct prompt datasets. The researchers generated 576,000 code samples across two program

ming languages and analyzed them for hallucinated packages. Their findings revealed that, on average, commercial models hallucinated packages in at least 5.2% of cases, while open-source models did so at a much higher rate of 21.7%. Alarmingly, they identified 205,474 unique hallucinated package names, highlighting just how widespread and serious this vulnerability has become

Why Dependency Chain Attacks Are So Damaging

Once a malicious dependency is in play, it’s often too late. Even if the payload is dormant or the package "works as advertised," it could potentially:

Harvest environment variables and secrets

Pivot across systems and escalate privileges

Remain unnoticed across builds and deployments

These attacks go well beyond the developer’s workstation. These are full-on supply chain threats with long-lasting consequences.

Mitigating the Risk of Dependency Chain Abuse

Securing the software supply chain requires a multi-layered approach, particularly when managing dependencies across various language-specific package managers and build environments. While configurations may differ, the core principle remains the same:

 clients should never fetch packages directly from untrusted or public source

s. Instead, all third-party packages should be routed through 

, enabling organizations to enforce security controls, log activity, and respond quickly in the event of an incident.

Wherever possible, direct access to external repositories should be disabled, and clients should be configured to pull only from internal, pre-vetted repositories.

To further reduce risk, organizations should implement 

. This includes enforcing checksum and signature verification for all packages, avoiding use of "

" tags in favor of fixed, vetted versions, and using lockfiles or version pinning mechanisms provided by each language ecosystem. All internal packages should be properly namespaced to the organization, with clients configured to only retrieve scoped packages from internal sources. Configuration files (e.g. 

) must reside within project repositories to override any insecure global settings on developer machines.

By enforcing trust boundaries, verifying package integrity, and adopting zero-trust tooling like Cloudsmith, organisations can significantly reduce their exposure to dependency chain abuse. As software supply chains grow more complex and AI-generated code becomes more common, securing how and where your dependencies are sourced has never been more critical. If you found this content helpful and want to dive deeper into securing your CI/CD pipelines, be sure to check out our free Cloudsmith eBook on the OWASP Top 10 for CI/CD systems – 

Nigel Douglas

Head of Developer Relations

OWASP CI/CD

OWASP CI/CD Part 3: Dependency Chain Abuse

Cloudsmith built Enterprise Policy Management (EPM) on Open Policy Agent (OPA) and uses Rego to define policies as code. These policies control how packages move through your systems. They're versioned, reviewable, and enforceable.

EPM is in early release, but it already draws on extensive metadata Cloudsmith collects from your artifacts: format, version, tags, license, vulnerability, malware scan results, and digital signatures. Policies tap into this data to take action based on what matters to your team.

Enterprise Policy Management with Cloudsmith

This article follows the example provided by Ciara Carey, a Solutions Engineer at Cloudsmith, shown in the video below.

EPM edited

From the Cloudsmith interface, navigate to the 

 policy to view the Rego-based rules for an example policy. These code-defined policies give you fine-grained control over artifact behavior.

This policy evaluates multiple risk indicators across all known vulnerabilities for a package to determine whether it should be flagged and quarantined. These indicators include CVSS and EPSS scores, the presence of a patch, and the age of the vulnerability.

At the top of the code, we set up our Rego script with the necessary dependencies:

 variable to store whether the vulnerability matches our criteria:

We’re testing against parameters including EPSS and CVSS scores, repo name, age, and CVE exclusion, and these are declared as variables:

 from the lower setting in the video, to reflect a more realistic threshold.

 block, which evaluates the conditions for each vulnerability and sets match to true if all pass:

This example uses a nuanced policy that checks for several risk factors before it triggers an action. Let’s examine these checks and the code they use.

Target Repository and Iterate Vulnerabilities

Make sure we are targeting our preferred repo:

Then loop through each reported vulnerability. The policy then applies the conditions to every vulnerability in the dataset. A vulnerability is bound to the 

Apply and Evaluate Conditions for Each Vulnerability

The following checks are then applied to each vulnerability for the package:

 – Skips known and accepted vulnerabilities to reduce unnecessary noise:

This uses a simple Rego helper rule to check if the vulnerability is in the ignore CVE list:

– This check ensures that a patched version of the package exists. If not, the policy will not trigger:

 – Evaluates the severity of any vulnerability using a configured CVSS threshold:

This uses a helper rule to check if the EPSS score exceeds our limit:

 – Evaluates the likelihood of vulnerability exploitation using the configured EPSS threshold:

– This checks the vulnerability's age by comparing its published date to a threshold of 30 days ago. This gives the vulnerability a grace period to establish itself. If the vulnerability was published before that date, it meets the age condition for further evaluation:

 panel, you can add a series of actions taken in response to a policy trigger. In this example, Cloudsmith performs the following automated actions:

 – Adds a visible marker so teams can immediately identify problematic artifacts.

 – Blocks the artifact from being downloaded, deployed to infrastructure, or promoted to other repositories.

Once the actions have been added, toggle the switch to the right of the policy name to ensure the policy is active.

To test the policy, upload a package that matches the policy conditions. For example, one with a known vulnerability that exceeds the configured CVSS and EPSS thresholds.

 to push a package that triggers the policy.

Cloudsmith automatically scans the package, extracts metadata, and applies the policy. In the example, if the conditions match, Cloudsmith:

Quarantines it to block deployment, download, and promotion

The API offers a range of instructions to manage policies using EPM. For example, use the simulate API to test policies without enforcing them. This returns results as if the policy were active, helping teams validate changes safely.

Open the decision log to examine how the policy responded. Locate the policy ID and view the result. The interface shows the evaluated Rego policy and the triggered event's full context.

You'll find detailed metadata from the package, including:

This information forms the basis for policy evaluation. Scroll to the bottom to see what actions the policy took. The decision log provides a transparent record of what happened and why.

Ciara Carey

Solutions Engineer

Enterprise Policy Management (EPM) is a programmable policy-as-code layer that controls the security, compliance, and flow of artifacts across the software supply chain. Teams can codify rules once and apply them continuously across repositories. With Cloudsmith’s platform, organizations extend policy enforcement across teams, environments, and geographies without introducing friction, including the open source packages that the chain depends on.

Our EPM solution is powered by data at every stage. The policy engine has access to all available package metadata to inform decisions. Every policy action is recorded with full context, providing detailed logs for customers to support audits and investigations. EPM includes compliance dashboards, that surface insights in security, compliance, and policy activity. This gives you continuous oversight and helps you refine your approach.

This article provides an overview of EPM and how it strengthens the software supply chain. For a worked example using policy as code, see 

We built EPM because governance should not slow you down; it should accelerate trust. Threats to your software supply chain are evolving faster than human oversight can track, and automation is the only viable path to resilience. EPM puts policy enforcement early in the development process. It makes decisions transparent and implements your security and compliance posture into something repeatable, testable, and version-controlled, like the rest of your codebase. Developers get immediate insight to help select packages. They know which meet policy standards for security, licensing, and quality.

Policies are codified rules that automate decisions and enforce rules on which packages are allowed in your software supply chain. They provide guardrails that ensure security, compliance, and operational consistency. Policies can block vulnerable packages, restrict problematic licenses, and control access.

For example, an enterprise may add a policy that stops packages with high-risk vulnerabilities from reaching production environments. The policy would be prescribed by logic as follows:

Define logic that evaluates vulnerability criteria and applies a quarantine action to affected packages.

The criteria specifies that the vulnerability must be listed in the Common Vulnerabilities and Exposures (CVE) database.

The policy then checks if the vulnerability exceeds a defined 

If conditions are met, the package can either be quarantined and blocked from promotion to production or tagged with additional context for further forensics.

This previous example is a vulnerability policy and is one of the types Cloudsmith EPM supports:

 prevent non-compliant code from being used.

 automate tagging, quarantining, or deleting based on metadata.

Without strong policy management, teams face increased risk and unnecessary effort:

- Missing automation allows known CVEs or malicious packages to reach production.

 - Teams must scramble for audits instead of demonstrating continuous compliance.

- Engineers spend hours reviewing dependencies or waiting for late-stage approvals.

Without shared policies, standards vary across teams and environments.

Without codified policies, organizations cannot fully benefit from the scale and speed of the cloud.

Catching vulnerabilities early in the software delivery lifecycle reduces both the financial cost of remediation and the risk of reputational damage.

EPM was built to avoid these issues in response to real-world supply chain threats and close collaboration with our customers. Codification and automation provide a unified approach for teams to enforce decisions that were previously enforced manually and inconsistently, proving less robust or scalable.

In an automated delivery environment, policies are essential for reducing manual overhead, preventing costly mistakes, and proving compliance, and have particular relevance within the organization:

-For CISOs, policies are the cornerstone of a secure software supply chain. They enable proactive threat mitigation, enforce compliance with frameworks like SLSA and SC2CF, and provide the audit trails required for regulatory confidence. Cloudsmith’s EPM lets CISOs shift from just enforcing checklists to actively collaborating with engineering teams by using the same tools. Implementing automated policies makes it easier for the engineering team to build securely.

- CTOs are focused on enabling product velocity without compromising architectural integrity. Effective policy management acts as a safeguard for CTOs, giving them confidence to move fast with greater safety, supporting both innovation and security goals. With EPM, they can align engineering output with business goals, ensure consistent implementation of best practices, and reduce the operational burden of manual reviews.

Teams immediately benefit by switching from public repositories to Cloudsmith as a curated repository for their developers. Policies then provide clarity, speed, and safety for engineering teams. Instead of guessing what is allowed, developers get immediate feedback when a package or dependency violates a rule. Our EPM integrates policy checks directly into the artifact pipeline, shifting decision-making left and reducing the noise and frustration caused by late-stage security reviews. 

EPM: Cloudsmith’s Approach to Policy Management

Maximum Flexibility: Policy-As-Code, Open Policy Agent, and Rego

Cloudsmith builds for developers, and EPM continues that focus by applying code's flexibility and automation to policy management. EPM takes a policy-as-code approach using an engine built on codification to make policies flexible, versioned, testable, and part of the everyday development workflow. It uses repeatable logic and brings security and compliance into the same toolchain engineers already use.

 - Teams write policies in Rego to define clear, actionable rules that operate on artifact metadata, repository structure, and scan data. We chose 

 because it is an established, open-source policy language widely used in infrastructure and platform security. Rego allows teams to write expressive, testable rules and reason over structured data, which aligns with how Cloudsmith models package metadata and security inputs.

 OPA is a general-purpose policy engine that evaluates rules written in Rego. Cloudsmith integrates OPA into its EPM engine to provide a programmable, scalable way to enforce policy across artifacts. Because OPA is already well established in platform tooling like Kubernetes and Terraform, teams can manage policies in a format they know and trust, without switching tools or inventing new processes.

- EPM also offers key features through the Cloudsmith UI. This supports essential policy management controls, letting users operate EPM without the need to dive into policy-as-code.

You can see an example of the Rego code used to implement the policy given in Vulnerability Policy Example above.

Cloudsmith’s policy engine lets you create and automate vulnerability policies to an exact specification. Policies evaluate packages as they arrive and apply structured logic to make decisions based on severity, exploitability, and metadata. We made package data available so you have the information to tailor and align your policies to the datasets that matter most.

The following capabilities form the foundation of Cloudsmith’s approach to automated vulnerability policies:

Vulnerability Management & Dependency Awareness

 - EPM scans artifacts continuously and examines both the dependencies developers choose directly and the ones that come bundled with them. This helps teams understand the full scope of their exposure, especially when vulnerabilities are introduced through nested packages or upstream registries.

 - CVSS scores represent how severe a vulnerability is, while EPSS scores estimate how likely it is to be exploited in the real world. Cloudsmith supports both scoring systems to help teams write policies that prioritize the vulnerabilities that pose the highest risk.
See 

Cloudsmith introduces EPSS Scoring in Enterprise Policy Management

 - Teams can preview how a policy will behave before activating it. This reduces the risk of unintended disruption and helps refine logic before activation. Once a policy is active, EPM logs each decision, making actions traceable and audit-ready.

EPM continues to evolve, and we’re expanding the scope of what policies can evaluate. This includes extending scanning to third-party sources like OpenSSF Scorecards. We’re enriching package metadata with contextual signals, giving policies a broader view to make more accurate decisions.

Legal teams and engineering organizations need to manage license risk at scale. Cloudsmith EPM allows teams to define precise rules about which licenses are permitted, restricted, or prohibited across repositories and environments. Policies can block packages with unknown, copyleft, or non-compliant licenses before they are introduced into critical environments. These rules operate on package metadata and are enforced automatically at sync, ensuring consistent application across teams and projects.

EPM license management includes the following key capabilities:

 - Packages with prohibited licenses are blocked by codifying license rules into policy logic. These policies evaluate license metadata before packages reach environments where risk cannot be tolerated, such as production environments or regulated systems.

 -Policies can reflect both internal legal requirements and external compliance frameworks. Teams can author policies that support organization-specific license strategies while aligning with broader standards such as SPDX or OpenChain.

Manage Internal Remediation SLAs with Time-Based Policies

Time-based policies help teams manage the lifecycle of packages based on changing risk, review cycles, or policy timing. These policies allow organizations to enforce rules that adapt over time, such as delaying access to a package until it has passed a minimum review period or increasing enforcement if a vulnerability remains unaddressed beyond a defined threshold.

EPM’s time-based policy management includes CVE lifecycle enforcement. A policy can allow packages with a known high severity CVE to remain in a non-production repository for a defined period. If no fix is applied during that window, the policy escalates enforcement by blocking promotion, triggering quarantine, or flagging the package for remediation. This gives teams time to assess and respond while maintaining clear accountability and control.

We’re extending policy capabilities to increase support for time-based controls. This includes defining policies that delay promotion, trigger re-evaluation, or expire package access after a specific time window. This will support workflows like phased rollouts, cooling-off periods, or automatic clean-up of outdated packages.

Cloudsmith EPM allows teams to define precise policies in line with their organization’s compliance requirements. These examples reflect common use cases in vulnerability management, license enforcement, and exploitability scoring.

Time and Score Balanced CVE Remediation Policies

Customers can use EPM to build policies that align with their organisation’s internal CVE remediation timelines or industry best practices. Policies could escalate enforcement based on how long a CVE has gone unpatched.

For example, quarantine any package that has a:

CVE with a CVSS score of 9 or more that was reported 7 or more days ago.

CVE with a CVSS score of more than 7 that was reported 30 or more days ago.

CVE with a CVSS score of more than 4 that was reported 60 or more days ago.

Customers can use EPM to control which software licenses are permitted in their environments. Many organizations prevent the use of copyleft licenses because these licenses can require proprietary source code to be made public. Copyleft licenses, such as the GNU General Public License (GPL), impose obligations that conflict with closed development. Teams often prefer permissive licenses such as MIT, Apache, or BSD to minimize legal risk.

Quarantine any package that carries a GNU General Public License (GPL).

Quarantine any GPL-licensed package found in production repositories, with the highest legal exposure.

Customers can strengthen their vulnerability management by using the 

Exploit Prediction Scoring System (EPSS) 

as an additional prioritization tool. EPSS provides a daily probability estimate for the likelihood of a CVE being exploited in the wild. This helps teams move beyond severity alone and focus remediation efforts on the vulnerabilities most likely to be targeted.

Quarantine any package containing a CVE with an EPSS score of 0.2 or more.

EPM: Policy Management for the Vigilant Enterprise

Software governance is an operational necessity. Cloudsmith EPM provides a programmable layer that helps teams codify their organization's vision for secure and compliant software and then enforces those standards automatically.

By aligning security, legal, and engineering teams around shared, automated rules, EPM removes friction and gives control, making governance part of the pipeline.

To discover how EPM can solve your policy management needs, 

In the race to ship software faster, many teams have turned to automation, decentralised tools, and powerful pipelines. But lurking under the surface of these streamlined processes is a growing and often invisible Identity and Access Management (IAM) threat vector, which is a core vulnerability in 

This post is Part 2 in our ongoing blog series exploring the OWASP Top 10 CI/CD Security Risks, based on insights from 

, which is a must-read for anyone serious about pipeline security. Today, we shine a light on 

OWASP CICD-SEC-2: Inadequate Identity and Access Management

Principle of Least Privileged Access in CI/CD

Modern software delivery pipelines span dozens (if not hundreds) of interconnected systems. From source control to build agents to artifact repositories and deployment targets, each component relies on a web of human and machine identities to function.

But managing all these identities (especially ensuring they follow the principle of least privilege) is no small feat. IAM often ends up inconsistent, outdated, or overly permissive, creating significant vulnerabilities across your CI/CD toolchain.

Through research and real-world incident response, several recurring IAM security issues emerge when it comes to identity and access management in CI/CD environments:

In most organisations, engineers are given broad access to systems like Git, CI tools, or artifact registries (oftentimes with far more access than they need). This makes compromise of a single identity disproportionately dangerous.

When a single identity, for example an AWS IAM role, holds excessive permissions, it becomes a high-value target. An attacker who compromises that AWS identity doesn't just gain access to one part of the cloud provider - they gain a foothold in many, and in some cases, nearly all other connected systems such as CI systems. This lateral movement potential amplifies the blast radius of what could have been a contained incident.

In many businesses, user accounts (especially those of former employees or outdated systems) are often overlooked once they're no longer actively used. These are referred to as 

. They pose a serious security risk if not regularly audited and removed.

When an employee leaves or a service account becomes obsolete, the account should be disabled or deleted promptly. However, due to oversight, lack of automation, or unclear off-boarding procedures, these accounts can linger in the system. Even if they're not in active use, they can still have valid credentials and potentially high levels of access to sensitive data or internal systems.

Cloudsmith Blog

Securing Containers at Scale: Docker Hardened Images + Cloudsmith

XRPL Supply Chain Attack and How to Block it Using Cloudsmith’s Enterprise Policy Management

OWASP CI/CD Part 3: Dependency Chain Abuse

Enterprise Policy Management Example: Quarantine Packages Using Policy as Code

Enterprise Policy Management with Cloudsmith

OWASP CI/CD Part 2: Inadequate IAM

OWASP CI/CD Part 1: Insufficient Flow Control

Scaling up to 1 Million Requests per Minute: How Cloudsmith Delivers Extreme Performance

Full Support for Arbitrary Files in Maven Repositories with Cloudsmith

Reproducible Builds, Fedora 43, and What It Means for the Software Supply Chain

Kubernetes 1.33 – What you need to know

KubeCon London 2025 Recap: Cloud-Native Insights on Security, Wasm, and More