Leading consumer and industrial electronics organization

A leading global technology company, with a long-established presence across most regions of the world, operates at a scale of tens of thousands of employees and millions of customers. The organization develops and delivers a broad range of electronic and industrial products for both consumer and enterprise markets. Its regional headquarters in Europe plays a key role in supporting customers and driving significant business growth across the market. To strengthen security controls and gain greater visibility around software artifact management, the company turned to Cloudsmith as a trusted partner.

This organization tried JFrog’s Xray to monitor and then manage vulnerable packages, but they were struggling to adopt Xray widely. They estimated they were scanning just 10–20% of projects. While the organization had hoped to use Xray for vulnerability scanning, they found the setup too complex and time-consuming, creating a barrier to adoption. Xray required package-by-package setup, consuming significant internal resources and relying heavily on JFrog’s assistance, creating a process that was slow and cumbersome. Once Xray was set up, results were inconsistent: some package vulnerability statuses, for example, conflicted with Xray vulnerability scans.

Teams were forced to spend significant time wading through discrepancies to determine which information was accurate. This eroded trust in Xray’s output and created ongoing friction with JFrog. Each time the organization needed to scan new packages, new discrepancies would arise and engineers had to escalate to JFrog support for guidance, adding further delays and operational burden.

The organization’s security teams wanted more than just raw CVE scores. They needed more comprehensive vulnerability scanning results, and more control over package licenses to ensure non-compliant packages didn’t enter their software supply chain. Adding to the urgency was the growing EU CRA regulatory pressure the business faced to generate and share SBOMs across all software by 2027.

With high operational costs, limited adoption, inconsistent vulnerability scanning results, and slow onboarding, the existing on-premises JFrog setup was increasingly a point of frustration. The company needed a cloud-native platform that delivered easy-to-implement scanning, enforced policy at scale, and provided actionable insights for developers, embedded in their workflows.

As a global software distributor, the company needed assurance that compromised packages would be blocked from entering their supply chain, and that any packages already in use could be promptly identified if vulnerabilities were later discovered. With Cloudsmith’s Enterprise Policy Manager (EPM), built on the Open Policy Agent (OPA) standard, they now enforce security and compliance rules automatically. EPM includes policies to detect and control potentially malicious packages, without the heavy configuration burden of previous solutions.

With Cloudsmith, high and critical vulnerabilities can be automatically quarantined, and lower-risk CVEs are tracked and periodically reassessed to ensure they remain non-critical. Safe packages can be released from quarantine through automated policy workflows, creating a consistent, reliable process that protects the supply chain while minimizing manual intervention. This standardized approach streamlines DevSecOps across every repository and package type including Docker, Raw, Maven, NPM, and NuGet.

Unlike JFrog’s Xray, Cloudsmith’s vulnerability scanning required no complex configuration. Engineers could open a repository and see vulnerable packages immediately.

Cloudsmith integrates natively with Bitbucket Pipelines, allowing security and policy enforcement to be embedded directly into build workflows. Vulnerability checks run automatically on all packages, ensuring that no artifacts can be released without passing compliance requirements. Teams gain real-time insights into vulnerabilities, dependencies, and package quality, ensuring that security and compliance are maintained across all projects and repositories.

This integration enforces security standards consistently across the organization and reduces manual work for developers, so they can focus on building features instead of managing security configurations.

The organization wanted to decommission their costly JFrog on-prem solution as soon as possible, because they felt exposed on the security front due to inadequate scanning. Switching to Cloudsmith provided stronger protection and immediate peace of mind. Leveraging Cloudsmith’s Migration Toolkit, they successfully moved to Cloudsmith’s cloud-based repositories with minimal disruption to ongoing development. The migration eliminated infrastructure overhead and immediately provided developers with a fully managed, modern artifact platform, enabling them to continue building securely and efficiently.

The move from JFrog to Cloudsmith delivered measurable improvements for this organization across security, compliance, and developer productivity.

• Fewer vulnerabilities: Org-wide policies block high and critical vulnerabilities before they reach production.
• Faster releases: Reduced false positives and automated policy enforcement cut investigation time.
• Lower operational costs: No on-prem infrastructure and less time spent configuring tools.
• Standardized DevSecOps: Global teams now follow consistent, enforceable workflows.
Improved developer velocity: Reducing time spent manually troubleshooting artifacts with inconsistent scan results allows developers to focus on innovating.

The organization can now deliver their broad portfolio of software, which includes business and creative applications to device management, image processing, and SDK/API tools, more efficiently. With Cloudsmith as their unified platform, the engineering and security teams can now enforce vulnerability policies consistently across all projects and package types. With automated scanning and repository-level policies integrated into CI/CD workflows, they’ve been able to deliver their portfolio more securely and efficiently, ensuring consistent quality and compliance at scale. As a result, these capabilities not only expand their customer base but also contribute directly to increased profitability.