Formats/Cargo

Secure, private Cargo registry hosting for Rust teams

Cloudsmith gives your Rust teams a fully managed, private Cargo registry with enterprise-grade security, global distribution, and the policy controls to govern exactly what crates reach your builds.

Universal format support

One registry. Every format your teams need. Cloudsmith centralises Cargo crates alongside every other artifact your software depends on.

  • Use Cargo + 30 other software package formats
  • Store compiled Rust binaries and raw assets alongside your crates
  • Centralize dependency management across Rust, containers, and more in one platform

How we support Cargo

Cloudsmith gives Rust teams a production-ready, fully managed Cargo registry that works with familiar tooling out of the box. No infrastructure to maintain, no limitations on scale.
    Native Cargo registry support
    Publish and install crates using standard cargo publish and cargo install commands. Cloudsmith is fully compatible with both sparse and Git-based registry protocols, including the high-performance sparse registry introduced in Cargo 1.68.
    Vulnerability scanning for Rust crates
    Cloudsmith scans your Cargo crates for known CVEs and malicious packages, automatically flagging issues before they reach your builds. Set policies to block, quarantine, or alert based on severity.
    Governance policies and crate control
    Create and enforce policies that govern which crates are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine crates that do not meet your criteria before any team member installs them.
    Global delivery via 600+ edge PoPs
    Cloudsmith's CDN-backed infrastructure delivers your crates from the closest available edge node. Teams distributed across regions get fast, consistent pull speeds without any additional configuration.
    Entitlement token and OIDC authentication
    Secure your private Cargo registry with entitlement tokens, API key authentication, or OIDC for CI/CD pipelines. Fine-grained access controls let you set per-team and per-repository permissions without sharing credentials.

Why teams choose Cloudsmith for Cargo

Self-hosted registries and Git-based workarounds create operational drag. Cloudsmith removes the infrastructure burden and gives your Rust teams a registry that scales with them.
Without CloudsmithTeams fall back to Git repositories for private crates, losing proper versioning and dependency resolution. Dependency trees become fragile and hard to audit.
With CloudsmithCloudsmith gives you a standards-compliant Cargo registry with full semantic versioning, sparse protocol support, and fast dependency resolution that works exactly like crates.io for private code.
Without CloudsmithSelf-hosted registry infrastructure demands ongoing maintenance, patching, and scaling work from platform teams who have higher-priority things to work on.
With CloudsmithCloudsmith is fully managed. There is nothing to install, patch, or scale. Your team configures a registry endpoint and ships crates - everything else is handled for you.
Without CloudsmithThere is no visibility into which crate versions teams are pulling, no controls to block vulnerable or unapproved packages, and no audit trail when something goes wrong.
With CloudsmithEvery crate download and upload is logged. Vulnerability scanning flags CVEs automatically. Governance policies let you define exactly which crates and versions are allowed before they reach any build.

Signs you're ready to switch to Cloudsmith for Cargo

If your Rust teams are working around the limitations of Git-based registries, self-hosted tooling, or fragmented artifact stores, Cloudsmith is the upgrade your supply chain needs.
    Git repos standing in for a real registry
    Using Git repositories as a Cargo registry workaround means you lose semantic versioning, structured dependency resolution, and the tooling compatibility teams expect. Cloudsmith gives you a proper registry from day one.
    Self-hosted infrastructure nobody wants to own
    Standing up and maintaining a self-hosted Cargo registry requires storage backends, Git index management, and ongoing patching. Cloudsmith removes all of that so your platform team can focus on higher-value work.
    No controls on what crates reach your builds
    Without governance policies, any crate version can reach any build. Cloudsmith lets you define which crates are permitted, block specific versions, and quarantine packages that fail security or quality checks.
    Crates isolated from the rest of your artifact pipeline
    Managing Cargo crates in one tool, Docker images in another, and binaries in a third creates unnecessary complexity. Cloudsmith gives you a single platform for all 30+ formats your pipeline depends on.
    Slow dependency resolution hurting CI/CD speed
    Git-based Cargo registries clone the entire index on every resolution, adding minutes to build times. Cloudsmith supports the sparse registry protocol, which only fetches the metadata your build actually needs.

Get started with Cargo on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith supports both the sparse registry protocol (recommended for Cargo 1.68 and above) and the older Git-based index protocol. The sparse protocol significantly reduces bandwidth usage and speeds up dependency resolution compared to cloning a full Git index.

  2. Cloudsmith supports entitlement token authentication and HTTP basic authentication for Cargo. You configure credentials in your .cargo/config.toml file. For CI/CD pipelines, OIDC-based authentication is available so you can avoid storing long-lived secrets.

  3. Yes. Cloudsmith performs vulnerability scanning on Rust crates, checking against known CVE databases. You can configure policies to automatically quarantine or block crates that exceed a defined severity threshold before they reach any developer or CI build.

  4. Yes. Cloudsmith's policy engine lets you define governance rules for your Cargo repositories. You can block specific crate versions, require metadata fields to be present, or quarantine packages that do not meet your criteria - all before any team member installs them.

  5. Yes. You can configure Cloudsmith to proxy and cache crates from crates.io, giving your teams faster access to public crates while applying your own security and governance policies to everything that flows through. This also reduces your exposure to upstream outages.

  6. Self-hosted registries require you to manage the Git index, storage backends, authentication, and ongoing patching. Cloudsmith is fully managed - you configure an endpoint and start pushing crates. There is no infrastructure to maintain and no scaling decisions to make.

  7. Yes. Cloudsmith repositories support 30+ formats. You can store Cargo crates alongside Docker images, raw binaries, and packages from other language ecosystems in a single platform, giving your team one place to manage the entire software supply chain.

  8. Cloudsmith delivers artifacts from 600+ edge PoPs worldwide. When a developer or CI runner pulls a crate, the request is served from the nearest available edge node. No additional configuration is required to get low-latency downloads across distributed teams.

  9. Yes. Every upload and download is captured in Cloudsmith's client and audit logs. You can see exactly which crate versions were pulled, by which users or CI tokens, and when. Logs can be exported to third-party observability tools for further analysis.

  10. You can push existing .crate files to Cloudsmith using the Cloudsmith CLI or via the native cargo publish command pointed at your Cloudsmith registry. Setup instructions with pre-configured snippets for your organisation and repository are available directly in the Cloudsmith UI.

Formats

There’s more than just Cargo on Cloudsmith