The Cloudsmith 2025 Artifact Management Report offers timely insights into how engineering and DevOps teams are evolving their approach to software artifact management and software supply chain security. With supply chain attacks on the rise and Generative AI reshaping development practices, teams are reevaluating how they manage, secure, and scale their artifact repository infrastructure.

Security Leads All Priorities in Artifact Management

Security stands out as the top priority among artifact management users. In our survey of 307 professionals, over half (171 respondents) identified security benefits, such as centralised vulnerability scanning, access control, and protection against software supply chain threats as the most valuable aspect of their current solution.

The rapid shift to cloud-native development has introduced greater speed and flexibility but also new layers of complexity and risk. Teams are navigating increased regulatory scrutiny while working to deliver software faster than ever.

Adoption Trends Across Team Sizes

Artifact management has become a foundational tool across organisations of every size. The survey data shows widespread usage, with larger organisations facing more intricate security challenges around access, availability, and governance.

Nearly 40% of respondents work in organisations with 50 or more developers, highlighting the operational scale at which artifact solutions must now perform.

A Broad View of Roles and Responsibilities

The impact of artifact management tools spans multiple disciplines. Respondents represented a wide variety of roles, showcasing the cross-functional importance of artifact repositories and software delivery tools, from platform engineering through to specialised SecOps roles.

This diverse representation helped surface pain points and priorities that extend beyond traditional DevOps boundaries.

What Organisations Value Most in 2025

When asked about the most important factors in selecting an artifact management platform, respondents signalled a need for comprehensive, integrated solutions:

While security remains the most important factor, responses also reflect a demand for efficient, reliable platforms that reduce friction in daily workflows.

Key Trends Shaping Artifact Management in 2025

When asked about the biggest challenges, trends, and opportunities for 2025, survey participants emphasised several core themes:

Security and Cyber Threats

There’s a clear shift from reactive vulnerability scanning to proactive assurance of software integrity. Platform teams are adopting SBOMs no longer as transparency tools but more so as a critical feature for threat detection, incident response, and forensics. Since these teams are now facing more frequent and sophisticated dependency attacks (such as dependency confusion, slopsquatting etc), priorities are now on artifact signing, verification, and provenance tracking to ensure each binary or package is authentic and untampered in an era defined by AI-generated code samples that we cannot blindly trust. Investing in real-time monitoring of artifact repositories is more urgent than ever to detect insecure packages.

AI and Automation

While AI accelerates productivity, it introduces new layers of risk in artifact management. AI-generated code artifacts can bypass traditional vetting processes, leading to increased attack surface from insecure or non-compliant code. These automated CI/CD pipelines must now include flexible policy controls (such as the Cloudsmith’s implementation of OPA Rego) to address anomalous behaviour specific to your pipeline. These AI tools that are writing and modifying infrastructure code must be governed by strict security validation layers to avoid introducing vulnerabilities at scale, and similarly, the AI models themselves, often managed as artifacts, require protection against model poisoning, leakage, and unauthorised access.

Scaling Infrastructure

Scaling isn't simply about performance, it magnifies the overall attack surfaces and risk vectors. Distributed artifact storage across hybrid or multi-cloud environments increases the need for unified access controls and encryption. High-throughput systems must therefore handle secure artifact replication and caching, avoiding stale or compromised versions. Many survey results provided feedback expressing concern that outages and downtime caused by inability to scale infrastructure in self-managed systems is causing teams to unsuccessfully meet their security and compliance controls.

Compliance and Regulation

Compliance is evolving into a continuous, security-aligned process rather than a periodic checkbox. Secure artifact management is now essential for compliance with SBOM mandates like the U.S. Executive Order 14028 and the EU Cybersecurity Resiliency Act. Auditable trails for who built, modified, or accessed an artifact are mandatory in regulated industries such as finance, healthcare, defense. As regulators demand provenance and traceability, artifact managers are integrating attestation frameworks like SLSA (Supply-chain Levels for Software Artifacts). Fines for non-compliance, such as open-source license misuse or PII exposure in containers are pushing security to automate policy enforcement in artifact workflows.

Open Source and Third-Party Risk

Open source remains a double-edged sword - essential but risky without additional controls. Repositories are implementing real-time CVE impact analysis, license verification, and even "trust scores" for third-party packages. Teams are adopting curated artifact registries, where only vetted open-source components are allowed into builds. Tools are increasingly focused on dependency graph analysis, not just to find vulnerabilities, but to understand transitive risk across teams and products. And ultimately greater visibility is needed across multi-team, multi-region development, requiring standardized governance models for how artifacts are consumed and updated securely.

Firsthand feedback on the common challenges faced by teams

Users shared direct feedback on where their current solutions are falling short. Recurring issues included:

1. Downtime and reliability concerns:
   “Too much downtime during operations.”
   “Single point of failure, poor reliability/performance.”
   
2. Performance bottlenecks:
   “Slow performance, especially with large repositories.”
   “Outdated Docker images causing slow CI/CD times.”
   
3. Security risks:
   “Vendor solution was compromised, causing operational loss.”
   “Concerns over security risks during deployment.”
   
4. Complexity and usability gaps:
   “Complex UI makes it difficult for new users.”
   “Learning curve and permission management in large teams.”
   
5. Integration frustrations:
   “Difficult to integrate with our existing CI/CD tools.”
   “Integration failures disrupt workflow and force manual intervention.”
   
6. Cost and vendor challenges:
   “Price increases and vendor locking are hard to justify.”
   “Migration complexity slows progress in fast-moving teams.”

These responses reinforce the growing expectation for artifact management platforms that deliver performance, security, and simplicity, without compromise.

Unified Solutions for Modern Software Delivery

As teams prepare for the next wave of software delivery challenges, artifact management is becoming a critical point of leverage. Security leads the way, but success also depends on how well platforms can support scale, productivity, compliance, and evolving developer needs.

The findings from this year’s report seem to point to a common trend that development teams need unified solutions that are secure, scalable, and built for the real-world demands of modern software delivery. If you haven’t already downloaded the report, or you’d prefer to watch the webinar recording, both links are provided below.

Download - 2025 Cloudsmith Artifact Management Report
Webinar - From AI to Scalability: 2025 Trends in Artifact Management