Cloudsmith now displays Docker image signatures and SBOMs (Software Bill of Materials) directly in the web app, giving you greater trust and visibility into the images you use.

SBOMs and signatures have been available through the API to enable client-side verification, but this update makes them directly accessible and easier to inspect in the web app.

 list every dependency, version, and license inside a Docker image, helping you understand what’s in your software supply chain.

 let you verify authenticity with Cosign, including viewing ECDSA key details and checking packages against a trusted public key.

improvements to Docker images in the web app

. All of these enhancements are available today for customers using Docker images in Cloudsmith. 

You can now host and distribute your machine learning (ML) models and datasets using Cloudsmith. This brings the same security, governance, and cloud-native performance you already rely on for packages, containers, and binaries to your AI workflows.

: Push and pull public or private models, datasets, and related assets with the standard 

 public models and datasets from the Hugging Face Hub for improved reliability and speed.

to fit your workflows. Store models alongside containers and packages, or separate them into dev, staging, and production.

 with fine-grained permissions for who can view or distribute models. 

 on security, quality, and compliance using Enterprise Policy Management.

ML Model Registry

You can now use quick filters in the package vulnerability view to filter Common Vulnerabilities and Exposures (CVEs) by severity.

The view will still default to ordering vulnerabilities by severity — with Critical issues at the top — but quick filters make it easier to filter directly for High, Medium, Low, or Unknown severities. This helps security teams quickly triage and prioritize, especially when working with artifacts that may have a high number of CVEs (for example, Docker images where the base image alone may contribute a large number). 

Filter CVEs by severity in the package vulnerability view

Cloudsmith now detects malicious packages using data from 

 open source packages designed to attack your supply chain before they reach your builds or customers.

 looks inside a package for known signatures, whereas malicious package detection focuses on packages that are harmful by design — for example, those created to mimic legitimate dependencies or trigger unsafe install behaviors. Together, these capabilities provide broader defense in depth across your repositories.

Here’s how malicious package detection works in Cloudsmith:

: The malicious packages dataset is ingested into Cloudsmith and integrated into Continuous Security.

: Packages in your repositories are regularly evaluated against this dataset.

: Enterprise Policy Management (EPM) lets you define policies to automatically quarantine or block flagged packages.

Malicious package detection

You can now use Cloudsmith’s package search syntax to refine the scope of your repository's retention rules when configuring them via the Cloudsmith web application and via the Cloudsmith Terraform provider. This functionality builds on the existing support to 

scope retention rules by package search syntax via the API

, and makes it easier to target exactly which packages to keep or remove.

To start using it via the web application, browse to your repository Settings, and click Retention Rules. Use the 

Retention rules: Refine scope with package search syntax via web app and Terraform provider

, a refreshed and re-architected documentation website for Cloudsmith. 

We believe that good documentation is an essential component of a great product. Our documentation helps new developers get started with Cloudsmith, and enables customers to get the most value from our platform. 

Our new documentation website has better content and simpler navigation, and reflects the design of our web app.

We've added and improved dozens of pages on 

. It is now the best guide to using Cloudsmith

The old documentation site will remain available 

, at which point old docs will redirect to new versions on 

We will continue to make updates to our old documentation website, 

We are migrating knowledge base content from our 

, we believe in collective ownership of documentation. That’s why we’ve housed the source text for our docs in 

, which is editable by our customers, partners, and developers.

 you'll see a View in GitHub button, so you can edit pages directly, and issue pull requests to improve our docs. We'll review all edits and suggestions, and merge them regularly.

As always, if you have any questions, please 

New Documentation Website

We've reduced the delay between a download event and its appearance in Client Logs, giving you faster visibility into your package delivery pipeline. This makes it easier to analyze trends, troubleshoot issues, and keep your workflows moving.

, and are part of ongoing upgrades to our edge architecture, designed to deliver faster, more reliable access to Cloudsmith data at scale.

The legacy version of Client Logs will remain accessible in the 

You may notice differences in how the data appears between the legacy Client Logs and the new version:

Legacy Client Logs: logs first show an estimated bytes value, which is later updated with the reconciled value.

New Client Logs: logs are available within ~30-60 seconds and display the correct bytes value immediately.

 in our documentation. If you have any questions, 

Verify and inspect Docker images

Other logs

ML Model Registry

Filter CVEs by severity in the package vulnerability view

Malicious package detection

Retention rules: Refine scope with package search syntax via web app and Terraform provider

New Documentation Website

Faster access to Client Logs