We’ve improved how Docker images are displayed and navigated in the web app, making it easier to work with tags, architectures and metadata to quickly find what you need.

: An architecture column has been added to the packages table on the packages overview (image 1), and a dropdown on each image overview lets you switch between architectures (image 2).

 Docker tags are shown in a separate component on the image overview (image 2), making them easier to browse and select.

: Package pages now surface richer details, including 

​​These improvements help you quickly find what you need and give clearer insights into an image’s content and supply chain integrity, and are available today in the web application today. 

Improved Docker experience in the Cloudsmith web app

Cloudsmith now displays Docker image signatures and SBOMs (Software Bill of Materials) directly in the web app, giving you greater trust and visibility into the images you use.

SBOMs and signatures have been available through the API to enable client-side verification, but this update makes them directly accessible and easier to inspect in the web app.

 list every dependency, version, and license inside a Docker image, helping you understand what’s in your software supply chain.

 let you verify authenticity with Cosign, including viewing ECDSA key details and checking packages against a trusted public key.

improvements to Docker images in the web app

. All of these enhancements are available today for customers using Docker images in Cloudsmith. 

Verify and inspect Docker images

You can now host and distribute your machine learning (ML) models and datasets using Cloudsmith. This brings the same security, governance, and cloud-native performance you already rely on for packages, containers, and binaries to your AI workflows.

: Push and pull public or private models, datasets, and related assets with the standard 

 public models and datasets from the Hugging Face Hub for improved reliability and speed.

to fit your workflows. Store models alongside containers and packages, or separate them into dev, staging, and production.

 with fine-grained permissions for who can view or distribute models. 

 on security, quality, and compliance using Enterprise Policy Management.

ML Model Registry

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

Cloudsmith now detects malicious packages using data from 

 open source packages designed to attack your supply chain before they reach your builds or customers.

 looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.

Here’s how malicious package detection works in Cloudsmith:

: The malicious packages dataset is ingested into Cloudsmith and integrated into Continuous Security.

: Packages in your repositories are regularly evaluated against this dataset.

: Enterprise Policy Management (EPM) lets you define policies to automatically quarantine or block flagged packages.

Malicious package detection

You can now use Cloudsmith’s package search syntax to refine the scope of your repository's retention rules when configuring them via the Cloudsmith web application and via the Cloudsmith Terraform provider. This functionality builds on the existing support to 

scope retention rules by package search syntax via the API

, and makes it easier to target exactly which packages to keep or remove.

To start using it via the web application, browse to your repository Settings, and click Retention Rules. Use the 

Retention rules: Refine scope with package search syntax via web app and Terraform provider

, a refreshed and re-architected documentation website for Cloudsmith. 

We believe that good documentation is an essential component of a great product. Our documentation helps new developers get started with Cloudsmith, and enables customers to get the most value from our platform. 

Our new documentation website has better content and simpler navigation, and reflects the design of our web app.

We've added and improved dozens of pages on 

. It is now the best guide to using Cloudsmith

The old documentation site will remain available 

, at which point old docs will redirect to new versions on 

We will continue to make updates to our old documentation website, 

We are migrating knowledge base content from our 

, we believe in collective ownership of documentation. That’s why we’ve housed the source text for our docs in 

, which is editable by our customers, partners, and developers.

 you'll see a View in GitHub button, so you can edit pages directly, and issue pull requests to improve our docs. We'll review all edits and suggestions, and merge them regularly.

As always, if you have any questions, please 

New Documentation Website

We've reduced the delay between a download event and its appearance in Client Logs, giving you faster visibility into your package delivery pipeline. This makes it easier to analyze trends, troubleshoot issues, and keep your workflows moving.

, and are part of ongoing upgrades to our edge architecture, designed to deliver faster, more reliable access to Cloudsmith data at scale.

The legacy version of Client Logs will remain accessible in the 

You may notice differences in how the data appears between the legacy Client Logs and the new version:

Legacy Client Logs: logs first show an estimated bytes value, which is later updated with the reconciled value.

New Client Logs: logs are available within ~30-60 seconds and display the correct bytes value immediately.

 in our documentation. If you have any questions, 

Faster access to Client Logs

As part of upcoming improvements to our logging pipeline, we’ve made adjustments to our underlying data processing. These changes include the 

These fields will now be prefixed with the name of the workspace and the repository.

If you are using custom domains configured at the workspace level, only the repository name will be prefixed: 

For repository custom domains, the path will remain unchanged:

Important information regarding these changes

 field in any automated process, please review your workflows to ensure they will continue working as expected. Note that the exact structure of the URI may change depending on the HTTP request type.

Change to uri Field in Client Log Exports

Identify and prioritize new vulnerabilities in your existing artifacts with Cloudsmith’s Continuous Security. Continuous Security runs hourly checks against trusted vulnerability data sources,

enabling faster detection and response to newly disclosed threats without the need for manual re-scans. Each finding includes an Exploit Prediction Scoring System (

) score so you can quickly gauge real-world exploit likelihood and respond accordingly.

new threats affecting artifacts already in your repositories, reducing the time between disclosure and detection.

Automated governance with Enterprise Policy Management

: Vulnerabilities identified by Continuous Security can be managed and actioned using EPM and policies-as-code (

), preventing downloads or tagging risky artifacts.

 scanning functionality remains unchanged. Continuous Security acts as an additional, proactive layer of security and does not replace or alter the behavior of the existing on-demand and on-upload scanning processes.

: This new capability is available for all 

: Continuous Security aggregates data from trusted and reputable sources:

Exploit Prediction Scoring System (EPSS) (refreshed every 24 hours)

Continuous Security is a fundamental component of our 

 suite. It is available in Early Access for all workspaces where EPM has been enabled.

 in our documentation. Interested in Early Access for Enterprise Policy Management? 

Cloudsmith Changelog