Changelog/Improvement

Native OIDC authentication for Azure DevOps

Dec 7 2025

We have updated the Cloudsmith Azure DevOps extension to support native Azure DevOps OIDC authentication. You can now authenticate pipelines using the Azure DevOps built-in issuer, completely removing the dependency on Microsoft Entra (Azure AD) App Registrations.

Why this matters

OpenID Connect (OIDC) is the gold standard for pipeline security, utilizing short-lived tokens and granular claims. Previously, adopting OIDC in Azure DevOps was complex, requiring the creation of a Microsoft Entra App and the management of static secrets like client and tenant IDs. This dependency often blocked DevOps teams, forcing them to wait on elevated IT or security permissions just to configure a build pipeline.

This update removes that friction entirely. By leveraging the native Azure DevOps issuer, teams can now achieve a "zero-config" setup that bypasses Entra App Registrations. This restores autonomy to DevOps engineers, allowing them to self-serve secure authentication configurations directly within the pipeline while maintaining strict security standards.

How to use it

To adopt the new flow, create an OIDC provider in Cloudsmith with the Provider URL https://vstoken.dev.azure.com/<ORG_GUID> and map it to your service account.

Then, configure your pipeline task:

jobs:
  - job: InstallCloudsmith
    pool:
      vmImage: 'ubuntu-latest'
    steps:
    # Install and Authenticate with Cloudsmith CLI
    - task: CloudsmithCliSetupAndAuthenticate
      inputs:
        cliVersion: '1.8.7'  # Optional: Specify Cloudsmith CLI version to install (Leave empty to install the latest version)
        oidcAuthOnly: false   # Set to true to skip installation and instruct the task to only authenticate via OIDC
        pipInstall: false     # Set to true to install via pip instead of zipapp
        authMethod: 'oidc' # Choose 'apiKey' for API Key authentication or 'oidc' for OIDC authentication
        oidcNamespace: '$(your-namespace)'  # Required if authMethod is set to 'oidc'.
        oidcServiceSlug: '$(your-service-slug)'  # Required if authMethod is set to 'oidc'.


    # Example Cloudsmith push
    - script: |
        cloudsmith push raw $(CLOUDSMITH_ORG)/$(CLOUDSMITH_REPO) my-package.zip
      displayName: 'Push package to Cloudsmith'

Learn more in our Azure DevOps integration documentation.

Other logs

01/06
Deprecation

Deprecating historical scan results retention

On December 17th, 2025, Cloudsmith will no longer store historical scan results from Trivy scans; only the latest scan results from Trivy scans for each package will be available. This change affects historical data that is exclusively available via the API. Historical scan results are not displayed in the Cloudsmith web app. Usage analysis indica…

Dec 5 2025
New

Upstream Support for Chainguard Libraries for Javascript (npm)

Cloudsmith now provides official upstream proxying and caching support for Chainguard Libraries for Javascript in your npm repositories. This integration enables customers to use Cloudsmith as the primary, secure distribution platform for Chainguard’s malware-resistant, built-from-source JavaScript dependencies. Key benefits Centralized distribut…

Nov 20 2025
Keep up to date with our monthly product bulletin