You can now download auto-generated Software Bills of Materials (SBOMs) for your Docker and OCI images directly from the Cloudsmith web app. This allows you to instantly export supply chain data for use in analysis tools or alongside release documentation.

Previously, SBOMs generated by Cloudsmith were only accessible via the 

. Instead of scripting an API call to retrieve the manifest for a specific image, you can now grab the 

 file with a single click, making SBOMs accessible to a broader range of users.

Click the Actions menu → "Download SBOM"

Downloads are provided in CycloneDX format.

This feature applies only to SBOMs automatically generated by Cloudsmith during the container image synchronization process.

Cloudsmith automatically generates SBOMs for Docker V2 and OCI V1 images.

​​This feature is live and available immediately for all Docker images. If you have any questions or feedback, please 

Download SBOMs directly from the web app

 is “honesty and transparency.” To ensure we’re living up to that value, we’ve given the 

 an overhaul. When Cloudsmith services experience an incident, we want you to know exactly how it impacts your builds, your deployments, and your teams.

This update provides a more granular and organized view of system health from our customers’ perspective, aligning our status reporting directly with the specific workflows you run every day.

To provide a more accurate view of operations and make the impact of incidents easier to understand at a glance, we have made the following structural changes:

: We have updated component names to better reflect the actions occurring within the platform:

Package Upload Processing → Package Uploads

Package Distribution → Package Downloads

Client Logs / Audit Logs export → Audit & Client Log Exports

: We have added new service areas for Security Scanning, Continuous Security, Upstreams, Broadcasts, and Integrations.

: These are now separated into the Cloudsmith Web App (app.cloudsmith.com), Legacy Web App (cloudsmith.io), Broadcasts, Blog, and Help & Documentation.

 These are now grouped together for clarity, including Webhooks, Audit & Client Log Exports, Datadog, and OpenID Connect.

: Each component now features a hover description to explain its function.

Slack & RSS: Subscribers will continue receiving all notifications exactly as before.

Email: Subscriptions will work with the updated component names. However, because we have added new components, 

 to subscribe to these new areas (like Security Scanning) to ensure you receive alerts for them.

We’d love to hear your questions or comments about these changes - just 

Get a more granular view of incident impact with Cloudsmith’s reorganized Status Page

 to support native Azure DevOps OIDC authentication. You can now authenticate pipelines using the Azure DevOps built-in issuer, completely removing the dependency on Microsoft Entra (Azure AD) App Registrations.

OpenID Connect (OIDC) is the gold standard for pipeline security, utilizing short-lived tokens and granular claims. Previously, adopting OIDC in Azure DevOps was complex, requiring the creation of a Microsoft Entra App and the management of static secrets like client and tenant IDs. This dependency often blocked DevOps teams, forcing them to wait on elevated IT or security permissions just to configure a build pipeline.

This update removes that friction entirely. By leveraging the native Azure DevOps issuer, teams can now achieve a "zero-config" setup that bypasses Entra App Registrations. This restores autonomy to DevOps engineers, allowing them to self-serve secure authentication configurations directly within the pipeline while maintaining strict security standards.

To adopt the new flow, create an OIDC provider in Cloudsmith with the Provider URL 

Native OIDC authentication for Azure DevOps

 to capture error events, giving platform engineering teams the critical information needed to troubleshoot build issues on behalf of their teams.

 only displayed successful activity, so it could be challenging to manually piece together context when errors occurred. With this update, Cloudsmith provides more comprehensive observability into your software supply chain. By surfacing requests that result in an error alongside successful ones, your team gains a centralized view of system health, making it easier to spot trends and resolve issues quickly.

: In addition to the status code, logs capture key request details including method, path, timestamp, user agent, IP address, and location.

This feature is available now in the Cloudsmith web app for customers using 

. Error logs will also soon be available in your Cloudsmith client log exports; please 

Troubleshoot failed download requests with client error logs

, Cloudsmith will no longer store historical scan results from Trivy scans; only the latest scan results from Trivy scans for each package will be available.

This change affects historical data that is 

. Historical scan results are not displayed in the Cloudsmith web app. Usage analysis indicates that no customers currently access this historical data. If you interact with our vulnerability endpoints today, you are likely already focusing on the latest scan results, which will remain fully accessible.

We are removing this unused data to improve platform performance and prepare for upcoming security features.

 Historical scan data accounts for a large portion of our database size. By removing this unused historical data, we will improve response times for package search endpoints.

 This cleanup supports our transition to 

 in 2026. Continuous Security will replace Trivy scans with an hourly feed that automatically matches new threats to your artifacts, providing faster and more accurate security insights.

The vulnerability API endpoints listed below will remain active and still return a list. The only change in behavior is that the data returned will be the 

 scan result for a package, rather than historical scans.

https://docs.cloudsmith.com/api/vulnerabilities/namespace/list

https://docs.cloudsmith.com/api/vulnerabilities/package/list

https://docs.cloudsmith.com/api/vulnerabilities/read

https://docs.cloudsmith.com/api/vulnerabilities/repo/list

For more information on the upcoming Continuous Security features, please read our 

. If you have any questions or concerns about this upcoming change, please 

Deprecating historical scan results retention

 is now available in Early Access, providing a secure solution for distributing proprietary software, such as internal SDKs, libraries, and premium commercial content. Backed by our global software distribution infrastructure and integrated directly into Cloudsmith, Private Broadcasts provides a custom, branded 

 distribution portal. This ensures customers and partners can easily access your packages, with authentication managed exclusively through entitlement tokens.

 Safely share internal tools with your team or deliver premium artifacts to paying customers, with access managed via Cloudsmith entitlement tokens.

 Use Access Links to provide a one-click method for users to authenticate, removing the need to manually enter secret keys.

 (Ultra & Enterprise) Customize your distribution portal with a custom URL, company logo, and colors for a cohesive user experience.

 Users can download packages via the web or standard native tooling, ensuring they can consume software in familiar ways.

If you would like to try this feature, please 

Introducing Private Broadcasts for secure software distribution

 command to the Cloudsmith CLI, enabling users to programmatically retrieve packages from repositories. This command provides advanced filtering, bulk operations, and pre-execution validation features.

This update resolves the prior friction created by the lack of a native download utility, eliminating the need for manual web UI downloads or complex 

 command is designed for flexible and automated artifact fetching:

 Automatically finds the latest version of a package by name across all repository versions.

 Supports filtering based on metadata such as 

 flag to download all associated package assets (e.g., sources, javadoc, SBOMs).

 Define a custom output directory for downloads using the 

 option, particularly useful for bulk operations.

 capability to see exactly which files would be downloaded without initiating the transfer.

Below are practical examples illustrating the command's flexibility:

 for Cloudsmith. This is NOT a package manager pull command. Unlike tools such as docker pull, npm install, or pip install, this command 

Install packages into your local environment

Manage dependencies or perform package resolution

Set up package registries or configure local tooling

Its function is to transfer the package files (binaries, archives, etc.) to your local filesystem for manual use, inspection, or further processing.

If you have feedback or questions about the Cloudsmith CLI, please 

Download command added to the Cloudsmith CLI

We've significantly enhanced the Cloudsmith Terraform Provider with new 

New data sources have been added to allow customers to retrieve information about their organization's configuration (like a 

 request), enabling the creation of more complex Terraform code based on specific outputs:

 resource now supports several new upstream formats:

For more information, including examples and documentation on all resources, please visit:

https://registry.terraform.io/providers/cloudsmith-io/cloudsmith/latest/docs

New data sources and expanded upstream support added to the Cloudsmith Terraform Provider

Cloudsmith now provides official upstream proxying and caching support for 

 in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies.

 Use Cloudsmith as the single source of truth for all npm dependencies, including Chainguard Libraries, ensuring reliability and high availability.

 Gain detailed information and consumption metrics on all package requests and versions in use (including from Chainguard Libraries) through Cloudsmith.

 Leverage Cloudsmith policies to govern what packages flow to users/pipelines, and utilize Cloudsmith’s built-in 

 Chainguard's dependencies are built using their hardened 

, providing verifiable software provenance.

The Chainguard Libraries for Javascript repository only includes libraries built by Chainguard from source. For full coverage, we recommend a dual-upstream configuration to allow for a fallback to the public registry.

Chainguard Libraries for Javascript Upstream (Priority 1)

 Add the Username and Password value from your Chainguard Libraries access settings.

Public npm Registry Upstream (Priority 2 - Fallback)

 for packages not available in Chainguard, ensuring the most secure and reliable consumption workflow possible.

Upstream Support for Chainguard Libraries for Javascript (npm)

 flag to the Cloudsmith CLI, which simplifies your automation scripts by eliminating the need for pagination logic. Previously, fetching large datasets required looping to iterate through 

. Now, the CLI automatically handles the underlying pagination, fetching every requested item and returning the full list instantly. This lets you simplify your scripts and maintain less code.

 flag to the following commands that support pagination:

Cloudsmith Changelog