Why we chose it, how we built on it, and where we’re going next

Ensuring the integrity of open source software is a growing priority for organizations of every size. But doing it in a way that doesn’t slow down developers is hard.

We believe the right long-term answer is a curated repository of known-good open source software that is continuously verified, with your organization’s security and compliance policies applied, and deeply integrated into your core workflows.

Cloudsmith is the right place to do this. We’re not just hosting packages; we’re providing the control plane and data plane for the software supply chain. And that starts with how we handle vulnerability data and threat intelligence.

TL;DR

• Trivy as the base: We chose Trivy as the base for vulnerability scanning at Cloudsmith because it’s open source, fast, and widely trusted.
• Cloudsmith advantage: We integrated Trivy into our cloud-native platform, giving our customers access to always-on scans, policy as code enforcement, and enterprise guard-rails at global scale.
• What’s next: We’re expanding beyond Trivy, ingesting multiple data sources and ultimately adding pluggable security integrations.
• The goal: A curated, secure, resilient software supply chain that keeps developers productive and organizations safe.

Trivy as the foundation

We chose Trivy early on, as we were building Cloudsmith. It’s open source, well-supported, and widely trusted. It offers support for containers, OS packages, language dependencies, SBOMs and secrets scanning. It’s also well-maintained; with over 27,000 GitHub stars, millions of downloads, and millions of users, the global developer community clearly values the capability that Trivy provides.

It’s no surprise that Trivy is the default scanner in many other platforms. But integrating it into a cloud-native platform like Cloudsmith, where artifacts are constantly being pushed, pulled and promoted across repositories, meant solving for cloud scale, automation, and extensibility.

How we built on Trivy

Trivy helped us get high-quality results fast. Here’s how we super-charged it for our customers.

• Always-on scanning: Every artifact pushed to or cached through Cloudsmith is scanned automatically, without any manual configuration or setup required. This means security is built into the pipeline from the very first interaction. The scans run in the background, ensuring zero friction for developers while giving teams continuous visibility into security risks.
• Auto generated SBOMs: Every Docker/OCI image published to Cloudsmith is automatically accompanied by an SBOM in the CycloneDX format. CycloneDX is widely supported across security tools and ecosystems, making it easy to integrate SBOMs into your broader supply chain risk management processes. By leveraging Trivy’s SBOM capabilities, we ensure that every image has a clear and standardized inventory
• Multi-format support: Because Cloudsmith is a universal artifact management platform, we can centralize vulnerability data for our customers across all of their formats and surface that information to them across their workspace.
• Global scale: Cloudsmith is designed to work at global scale, so when we integrated Trivy as our scanner, we knew it needed to keep up too. Cloudsmith is proven to handle > 1 million requests per minute and we execute millions of vulnerability scans as customers add to their repositories.
• Policy management: Quarantine or notify when users are accessing insecure packages using Cloudsmith’s OPA based Enterprise Policy Management (EPM).
• Enterprise-ready infrastructure: SAML, SCIM, OIDC, logging, and ISO 27001 compliance ensure a secure, auditable foundation.

From scans to continuous security

With Trivy running reliably across our platform, we started rethinking how to keep vulnerability data fresh and actionable.

We ingest CVE data continuously, from Trivy and also from additional sources like EPSS (Exploit Prediction Scoring System). And we apply that data to artifacts already in your repositories. That means no need to trigger rescans.

We call this Continuous Security, and it’s available today through EPM.

It gives you:

• Instant re-evaluation: New advisory published? We re-check your existing packages against fresh data.
• Policy-driven automation: Define rules using CVSS, EPSS, license metadata or any other detail about your package, and act on them automatically.
• Auditability: Every match, every decision, and every policy action is logged.
• An extensible architecture: So we can add data sources like OSV.dev and package health signal data.

This turns scanning into a real-time feedback loop, so you can catch new risks as soon as they emerge.

What we’re building next

The presence of CVEs isn’t the only signal about the quality of software packages. Our goal is to help you make better decisions about all the software in your supply chain based on trust, context, and quality, in addition to known vulnerabilities.

Here’s what’s coming next:

• New data sources and broader reach: New feeds (OSV, GitHub advisories, OpenSSF Scorecards) deepen our vulnerability data and unlock additional package formats.
• Package quality policies: Build policies based on how well-maintained a package is, whether it has good documentation, how widely it’s been adopted, and other indicators of package health
• Expanded SBOM support: SBOM generation for additional formats, so you can build custom policies from your SBOM metadata.

Trivy kickstarted it. Cloudsmith takes it further.

Push an artifact. Let Cloudsmith scan it, sign it, apply policies, and let you know when new threats emerge. Security shouldn’t slow you down. With Cloudsmith, it doesn’t.

Ready to try? Push an image or package and watch your policies kick in, so you can sleep easier tomorrow when the next CVE lands.