Malicious package detection
Cloudsmith now detects malicious packages using data from OSV.dev and the OpenSSF Malicious Packages project so you can see, stop, and govern open source packages designed to attack your supply chain before they reach your builds or customers…
Detect and prioritize new vulnerabilities faster with Continuous Security
Identify and prioritize new vulnerabilities in your existing artifacts with Cloudsmith’s Continuous Security. Continuous Security runs hourly checks against trusted vulnerability data sources, enabling faster detection and response to newly disclosed threats without the need for manual re-scans…
Enforce license compliance with Enterprise Policy Management
You can now use package license data in Enterprise Policy Management (EPM) to create policies based on a package’s software license. This lets you automatically govern license usage in line with your organization’s policies, giving you direct control over which packages are approved for use in your software supply chain…
Broadcasts now support open-source projects
You can now use Broadcasts to distribute your open-source packages, with separate allowances and usage designed to support maintainers and communities building in the open…
Streamlined access to Client Logs via our web app
We've introduced Client Logs into the new web app user interface, delivering a significantly improved experience for gaining visibility into package usage across your Cloudsmith workspace. Previously available in our legacy UI, Client Logs is now more performant, accessible, and interactive. This allows you to visualize, filter, and export information to better understand how your packages are consumed, whether by CI/CD pipelines, IDEs, or external consumers…
Improved security with EPSS in Enterprise Policy Management
Cloudsmith’s Enterprise Policy Management (EPM) now supports the Exploit Prediction Scoring System (EPSS), a data-driven metric designed to estimate the probability of a software vulnerability being exploited in the wild…
Introducing native Swift signing
Cloudsmith has extended our Swift support to include the native signing of Swift packages. This update brings seamless, secure, and high-performance signing capabilities directly to iOS developers, eliminating the need for third-party workarounds or custom implementations…
Cloudsmith now automatically generates Cosign signatures for container images, simplifying image verification
Cloudsmith will now automatically generate a Cosign signature when you upload a container image, eliminating the need for manual key management. This simplifies image signing, making it easier to implement image verification in your workflows…
Introducing API Key Policy
If your organization has a policy to rotate API keys, Cloudsmith can now help you enforce this using our API Key Policy, a new policy type for Ultra customers.
Using this policy you can:
Specify a maximum age for API keys throughout all accounts in your workspace.
Enforce optional automatic API key refresh, which will automatically refresh any A…
Build on Chainguard Registry Images in Cloudsmith
We are happy to announce that Cloudsmith now supports the Chainguard Registry as an upstream source for container images. 🎉
Chainguard, a Docker Verified Publisher, offers Chainguard Images, which are minimal, hardened container images with impressive features:
(Mostly) zero CVEs 💜
Includes SBOMs and signatures ✏️
Many images are distroless,…