 is “honesty and transparency.” To ensure we’re living up to that value, we’ve given the 

 an overhaul. When Cloudsmith services experience an incident, we want you to know exactly how it impacts your builds, your deployments, and your teams.

This update provides a more granular and organized view of system health from our customers’ perspective, aligning our status reporting directly with the specific workflows you run every day.

To provide a more accurate view of operations and make the impact of incidents easier to understand at a glance, we have made the following structural changes:

: We have updated component names to better reflect the actions occurring within the platform:

Package Upload Processing → Package Uploads

Package Distribution → Package Downloads

Client Logs / Audit Logs export → Audit & Client Log Exports

: We have added new service areas for Security Scanning, Continuous Security, Upstreams, Broadcasts, and Integrations.

: These are now separated into the Cloudsmith Web App (app.cloudsmith.com), Legacy Web App (cloudsmith.io), Broadcasts, Blog, and Help & Documentation.

 These are now grouped together for clarity, including Webhooks, Audit & Client Log Exports, Datadog, and OpenID Connect.

: Each component now features a hover description to explain its function.

Slack & RSS: Subscribers will continue receiving all notifications exactly as before.

Email: Subscriptions will work with the updated component names. However, because we have added new components, 

 to subscribe to these new areas (like Security Scanning) to ensure you receive alerts for them.

We’d love to hear your questions or comments about these changes - just 

Get a more granular view of incident impact with Cloudsmith’s reorganized Status Page

 to support native Azure DevOps OIDC authentication. You can now authenticate pipelines using the Azure DevOps built-in issuer, completely removing the dependency on Microsoft Entra (Azure AD) App Registrations.

OpenID Connect (OIDC) is the gold standard for pipeline security, utilizing short-lived tokens and granular claims. Previously, adopting OIDC in Azure DevOps was complex, requiring the creation of a Microsoft Entra App and the management of static secrets like client and tenant IDs. This dependency often blocked DevOps teams, forcing them to wait on elevated IT or security permissions just to configure a build pipeline.

This update removes that friction entirely. By leveraging the native Azure DevOps issuer, teams can now achieve a "zero-config" setup that bypasses Entra App Registrations. This restores autonomy to DevOps engineers, allowing them to self-serve secure authentication configurations directly within the pipeline while maintaining strict security standards.

To adopt the new flow, create an OIDC provider in Cloudsmith with the Provider URL 

Native OIDC authentication for Azure DevOps

We've improved how package statuses are displayed and managed across the Cloudsmith web app to help you 

quickly understand if a package or container is available, safe, and compliant.

We have removed the status flag that indicated a package matched a policy, as this information describes an automation outcome and not a fixed status.

We have consolidated all initial processing and scanning statuses that occur before package availability under a single 

Vulnerability and quarantine statuses have been removed from the Tags column; this information is now communicated directly through the main package status indicator.

We’ve added additional status details in the tooltip when a package has an error or is quarantined.

We've updated the color scheme and icons for consistency and clarity:

: Indicates the package is available but there are 

 and is unavailable. (Red will also be used to indicate malware in future updates.)

These updates apply uniformly across the platform, including package lists in workspaces and repositories, compliance pages, and individual package detail pages.

Improvements to package status indicator in the web app

 field to packages in Cloudsmith, extending 

This feature allows you to create retention rules that automatically clean up packages in your repository based on usage, rather than just age or count, ensuring you retain only actively used packages.

 field is available for use in package queries when setting up or modifying retention rules via the Cloudsmith UI, API and Terraform provider. This field is also exposed in the API and UI, and can be used for general package search filtering.

If you want to set up a retention rule that automatically deletes packages older than a year, you can include the following package filter in your retention rule:

This functionality is not currently available for Docker images, but Docker support is planned for an upcoming release. Additionally, if a package is only proxied through Cloudsmith and never downloaded from the cache afterward, its total downloads will be 0, and the 

Automate repository cleanup based on last download date

You can now better assess a vulnerability's impact by exploring its key details directly within the vulnerabilities table for a package or container. We've introduced an expanded row layout that shows all available information for a specific finding, helping you make more informed decisions about your response.

Additionally, we’ve added CVSS scores from more than one CVE numbering authority (CNA), allowing you to view data from multiple sources - including NVD, the vendor, or another CNA.

Explore vulnerability details to better assess impact

We’ve recently released a set of improvements across the Cloudsmith 

 focused on logs, error messaging, and usability.

: You can now select between UTC and your browser’s local time when viewing both Client Logs and Audit Logs, letting you skip the mental time zone math.

Quick package navigation from Client Logs

: We’ve added a hyperlink to the package name within Client Logs, allowing you to click directly to the package details page. This saves time when investigating package activity.

Independent scrolling of logs table and filters

: On the Client Logs page, you can now scroll the filters panel independent of the logs table, a usability improvement for ensuring you can easily set your filters.

 The application now rounds the wait time in a throttling error message to a whole number, removing overly precise fractions of a second to keep the message clear.

: We’ve polished how Docker tags are displayed throughout the UI for better clarity.

: We fixed a bug where the chevron icon to expand Package Groups was not working correctly for non-Docker images.

 Filters for key:value pairs are no longer case sensitive, making it easier and less error-prone to filter the packages view.

Fixed package Copy/Move after Repo rename

: Resolved an issue that prevented you from moving or copying packages to a repository if the repository's display name had recently been changed.

: For packages that fail to synchronize, the UI now displays detailed information about the sync status failure, giving you better insight into the root cause.

 Service accounts are now correctly listed and visible on the Teams management page.

 We've removed the 255-character limit for Webhook Target Endpoint URLs, giving you more flexibility for your integrations.

Recent improvements to the Cloudsmith web app

We’ve improved how Docker images are displayed and navigated in the web app, making it easier to work with tags, architectures and metadata to quickly find what you need.

: An architecture column has been added to the packages table on the packages overview (image 1), and a dropdown on each image overview lets you switch between architectures (image 2).

 Docker tags are shown in a separate component on the image overview (image 2), making them easier to browse and select.

: Package pages now surface richer details, including 

​​These improvements help you quickly find what you need and give clearer insights into an image’s content and supply chain integrity, and are available today in the web application today. 

Improved Docker experience in the Cloudsmith web app

Cloudsmith now displays Docker image signatures and SBOMs (Software Bill of Materials) directly in the web app, giving you greater trust and visibility into the images you use.

SBOMs and signatures have been available through the API to enable client-side verification, but this update makes them directly accessible and easier to inspect in the web app.

 list every dependency, version, and license inside a Docker image, helping you understand what’s in your software supply chain.

 let you verify authenticity with Cosign, including viewing ECDSA key details and checking packages against a trusted public key.

improvements to Docker images in the web app

. All of these enhancements are available today for customers using Docker images in Cloudsmith. 

Verify and inspect Docker images

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

We've reduced the delay between a download event and its appearance in Client Logs, giving you faster visibility into your package delivery pipeline. This makes it easier to analyze trends, troubleshoot issues, and keep your workflows moving.

, and are part of ongoing upgrades to our edge architecture, designed to deliver faster, more reliable access to Cloudsmith data at scale.

The legacy version of Client Logs will remain accessible in the 

You may notice differences in how the data appears between the legacy Client Logs and the new version:

Legacy Client Logs: logs first show an estimated bytes value, which is later updated with the reconciled value.

New Client Logs: logs are available within ~30-60 seconds and display the correct bytes value immediately.

 in our documentation. If you have any questions, 

Cloudsmith Changelog