On December 17th, 2025, Cloudsmith will no longer store historical scan results from Trivy scans; only the latest scan results from Trivy scans for each package will be available.

This change affects historical data that is exclusively available via the API. Historical scan results are not displayed in the Cloudsmith web app. Usage analysis indicates that no customers currently access this historical data. If you interact with our vulnerability endpoints today, you are likely already focusing on the latest scan results, which will remain fully accessible.

Why are we making this change?

We are removing this unused data to improve platform performance and prepare for upcoming security features.

• Search performance: Historical scan data accounts for a large portion of our database size. By removing this unused historical data, we will improve response times for package search endpoints.
• Moving to Continuous Security: This cleanup supports our transition to Continuous Security in 2026. Continuous Security will replace Trivy scans with an hourly feed that automatically matches new threats to your artifacts, providing faster and more accurate security insights.

Technical details

The vulnerability API endpoints listed below will remain active and still return a list. The only change in behavior is that the data returned will be the latest scan result for a package, rather than historical scans.

• https://docs.cloudsmith.com/api/vulnerabilities/namespace/list
• https://docs.cloudsmith.com/api/vulnerabilities/package/list
• https://docs.cloudsmith.com/api/vulnerabilities/read
• https://docs.cloudsmith.com/api/vulnerabilities/repo/list

For more information on the upcoming Continuous Security features, please read our documentation. If you have any questions or concerns about this upcoming change, please contact us.