Detect and prioritize new vulnerabilities faster with Continuous Security
Identify and prioritize new vulnerabilities in your existing artifacts with Cloudsmith’s Continuous Security. Continuous Security runs hourly checks against trusted vulnerability data sources,enabling faster detection and response to newly disclosed threats without the need for manual re-scans. Each finding includes an Exploit Prediction Scoring System (EPSS) score so you can quickly gauge real-world exploit likelihood and respond accordingly.
EPM Policies are continuously evaluated
What’s new
Proactive threat detection: Hourly updates flagnew threats affecting artifacts already in your repositories, reducing the time between disclosure and detection.
Automated governance with Enterprise Policy Management: Vulnerabilities identified by Continuous Security can be managed and actioned using EPM and policies-as-code (Rego-based syntax), preventing downloads or tagging risky artifacts.
No change to existing scanning: The standard vulnerability scanning functionality remains unchanged. Continuous Security acts as an additional, proactive layer of security and does not replace or alter the behavior of the existing on-demand and on-upload scanning processes.
Broad format support: This new capability is available for all package formats supported by standard vulnerability scanning.
Trusted data sources: Continuous Security aggregates data from trusted and reputable sources:
Aqua Trivy DB (refreshed every 6 hours)
Exploit Prediction Scoring System (EPSS) (refreshed every 24 hours)
Continuous Security is a fundamental component of our Enterprise Policy Management (EPM) suite. It is available in Early Access for all workspaces where EPM has been enabled.
Packages added to Cloudsmith are scanned for vulnerabilities and malware, and passed through our policy engine. When we identify vulnerable packages, we produce and collate a range of descriptive data to help explain those vulnerabilities. Previously, that data was only available in our legacy web app, and more recently via our API. We've now broug…
The official Cloudsmith extension for Visual Studio Code is here. It brings your package visibility workflow directly into the IDE, allowing you to browse and inspect repositories and packages without switching context…
Client log exports now provide a more comprehensive overview of package delivery. In addition to GET requests, client log exports will include other HTTP request types, including HEAD, POST, and OPTIONS requests. This gives you a full view of package delivery, moving beyond just download tracking to include metadata checks and other repository interactions…
You can now use package license data in Enterprise Policy Management (EPM) to create policies based on a package’s software license. This lets you automatically govern license usage in line with your organization’s policies, giving you direct control over which packages are approved for use in your software supply chain…
Client logs and usage reporting improvements are now generally available in the new web application. These updates give you deeper visibility into package downloads, delivery trends and the repositories or tokens driving your usage…
You can now view architecture and distribution tags in the Packages table in the new web application. This makes it easier to tell apart packages with the same name but different architectures or distributions, and to quickly find the right one…