A leading global technology company, with a long-established presence across most regions of the world, operates at a scale of tens of thousands of employees and millions of customers. The organization develops and delivers a broad range of electronic and industrial products for both consumer and enterprise markets. Its regional headquarters in Europe plays a key role in supporting customers and driving significant business growth across the market. To strengthen security controls and gain greater visibility around software artifact management, the company turned to Cloudsmith as a trusted partner.
CHALLENGE
This organization tried JFrog’s Xray to monitor and then manage vulnerable packages, but they were struggling to adopt Xray widely. They estimated they were scanning just 10–20% of projects. While the organization had hoped to use Xray for vulnerability scanning, they found the setup too complex and time-consuming, creating a barrier to adoption. Xray required package-by-package setup, consuming significant internal resources and relying heavily on JFrog’s assistance, creating a process that was slow and cumbersome. Once Xray was set up, results were inconsistent: some package vulnerability statuses, for example, conflicted with Xray vulnerability scans.
Teams were forced to spend significant time wading through discrepancies to determine which information was accurate. This eroded trust in Xray’s output and created ongoing friction with JFrog. Each time the organization needed to scan new packages, new discrepancies would arise and engineers had to escalate to JFrog support for guidance, adding further delays and operational burden.
The organization’s security teams wanted more than just raw CVE scores. They needed more comprehensive vulnerability scanning results, and more control over package licenses to ensure non-compliant packages didn’t enter their software supply chain. Adding to the urgency was the growing EU CRA regulatory pressure the business faced to generate and share SBOMs across all software by 2027.
With high operational costs, limited adoption, inconsistent vulnerability scanning results, and slow onboarding, the existing on-premises JFrog setup was increasingly a point of frustration. The company needed a cloud-native platform that delivered easy-to-implement scanning, enforced policy at scale, and provided actionable insights for developers, embedded in their workflows.
SOLUTION
As a global software distributor, the company needed assurance that compromised packages would be blocked from entering their supply chain, and that any packages already in use could be promptly identified if vulnerabilities were later discovered. With Cloudsmith’s Enterprise Policy Manager (EPM), built on the Open Policy Agent (OPA) standard, they now enforce security and compliance rules automatically. EPM includes policies to detect and control potentially malicious packages, without the heavy configuration burden of previous solutions.
With Cloudsmith, high and critical vulnerabilities can be automatically quarantined, and lower-risk CVEs are tracked and periodically reassessed to ensure they remain non-critical. Safe packages can be released from quarantine through automated policy workflows, creating a consistent, reliable process that protects the supply chain while minimizing manual intervention. This standardized approach streamlines DevSecOps across every repository and package type including Docker, Raw, Maven, NPM, and NuGet.
Unlike JFrog’s Xray, Cloudsmith’s vulnerability scanning required no complex configuration. Engineers could open a repository and see vulnerable packages immediately.
Cloudsmith integrates natively with Bitbucket Pipelines, allowing security and policy enforcement to be embedded directly into build workflows. Vulnerability checks run automatically on all packages, ensuring that no artifacts can be released without passing compliance requirements. Teams gain real-time insights into vulnerabilities, dependencies, and package quality, ensuring that security and compliance are maintained across all projects and repositories.
This integration enforces security standards consistently across the organization and reduces manual work for developers, so they can focus on building features instead of managing security configurations.
The organization wanted to decommission their costly JFrog on-prem solution as soon as possible, because they felt exposed on the security front due to inadequate scanning. Switching to Cloudsmith provided stronger protection and immediate peace of mind. Leveraging Cloudsmith’s Migration Toolkit, they successfully moved to Cloudsmith’s cloud-based repositories with minimal disruption to ongoing development. The migration eliminated infrastructure overhead and immediately provided developers with a fully managed, modern artifact platform, enabling them to continue building securely and efficiently.
RESULTS
The move from JFrog to Cloudsmith delivered measurable improvements for this organization across security, compliance, and developer productivity.
The organization can now deliver their broad portfolio of software, which includes business and creative applications to device management, image processing, and SDK/API tools, more efficiently. With Cloudsmith as their unified platform, the engineering and security teams can now enforce vulnerability policies consistently across all projects and package types. With automated scanning and repository-level policies integrated into CI/CD workflows, they’ve been able to deliver their portfolio more securely and efficiently, ensuring consistent quality and compliance at scale. As a result, these capabilities not only expand their customer base but also contribute directly to increased profitability.
Font Awesome’s business relies on the distribution of private packages to customers in a timely, reliable fashion. That wasn’t a use case supported by conventional package management platforms, and attempting to build a solution in-house was causing ongoing issues around uptime and performance.
Like any other company making software at scale, the goal for Carta is delivering great software as efficiently as possible. Cloudsmith helps make that happen. Carta uses Cloudsmith to handle all aspects of package management across the business. That means that Carta engineers have access to a single private repository of software assets, no matter where they are or what language or format they are working in.
The New England Center for Children® (NECC®) is a globally recognized autism education center and research institute. NECC’s educational software system, Autism Curriculum Encyclopedia® (ACE®), is designed to support evidence-based learning for individuals with autism. They migrated to Cloudsmith to ensure they had a cloud-native solution that integrated seamlessly into their DevOps pipeline. Read about how they eliminated downtime, scaled effortlessly, and freed up their team to focus on an increased number of micro-services.
From JFrog Cloud to Cloudsmith: How ConstructConnect strengthened security and simplified software delivery.
Discover how the leading consumer and industrial electronics organization is leveraging Cloudsmith’s Enterprise Policy Manager for better package visibility and governance.
Discover how Diligent transformed its software delivery process with Cloudsmith’s universal package management platform. By centralizing security, automating workflows, and enhancing compliance, Diligent achieved significant efficiency gains and scalable operations. With real-time insights and reduced manual tasks, their teams can now focus on innovation
