Think you can outsmart a supply chain attack? Join our Capture the Flag challenge and put your skills to the test with Trivy, OPA, and EPSS. Scan, secure, and quarantine. Complete the challenges, defend the pipeline, and earn your shot at prizes.


​CTF Security Challenge: Are you in?

Stop by and discover how to gain visibility, protect every artifact, and simplify control across your software supply chain - all in one cloud-native platform. Secure every artifact and control your supply chain, without slowing developers down.

Secure Software Starts at Booth 530

Hang out and connect with DevOps, DevSecOps, Cloud, and Open Source professionals from communities around the world after KubeCon + CloudNativeCon at the AprèsKube Party! Space is limited; RSVP is required.


AprèsKube ATL: The (Un)official KubeCon After-Party!

Join Cloudsmith in Atlanta at KubeCon NA 2025, Booth 530! Catch lightning talks, hands-on demos, and prizes while learning how to secure every artifact in your supply chain. Fill out the form to request a discount pass or book a 1:1 meeting with our team.

Meet us at KubeCon + CloudNativeCon North America 2025

Attackers are exploiting typos and AI-generated code to slip malicious packages into software ecosystems. Learn how typosquatting and slopsquatting attacks work, why AI is accelerating them, and the practical steps to detect, prevent, and secure your supply chain.

Nigel Douglas

Head of Developer Relations

Liana Ertz

Product Manager

As software ecosystems expand, attackers are exploiting the smallest cracks - from a single typo to a reused name - to sneak in malicious packages. The rise of AI-generated code has amplified this problem. Automated code suggestions, dependency management, and code-completion tools can unintentionally introduce lookalike or compromised packages into projects. These lookalikes are easy to miss and can bypass traditional security checks, creating serious downstream risk.

This session combines real-world examples with practical advice on how to detect, respond to, and prevent squatting attacks in a world where AI-driven development is changing how code is written, shared, and reused. You’ll leave with a clearer understanding of how these threats operate, a simple framework for detection and response, and actionable steps to make your package ecosystem more resilient.

From naming hygiene to automation strategies, this session will help your teams stay one step ahead of the next squatting campaign, whether it is targeting human developers or being propagated by AI-generated code, and keep your software supply chain secure.

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

Sofware supply chain security

Featured Events

Upcoming Events

Featured In-Person Events

Upcoming In-Person Events

Featured On-Demand Webinars

On-Demand Webinars

Featured Webinars

Upcoming Webinars

Featured Workshops

Upcoming Workshops

Don’t let hidden threats slow you down. Discover how Cloudsmith & Kusari enable proactive security to prevent tampering, improve visibility, and speed deployments—reducing rework and strengthening your software supply chain.

Ben Cotton

Open Source Program Lead

Security checks are more critical than ever as attackers increasingly target software supply chains, from dependencies to CI/CD systems. But speed is just as important. Slowing down development isn’t an option, so organizations need security that enables rapid releases without adding friction.

The real competitive advantage comes from building security into your workflow so that speed and safety go hand in hand. Whether you’re under pressure to reduce risk, or enabling speed at scale, you’ll leave with actionable steps to make your pipeline not only secure but trustworthy - and spookily efficient.

In this joint webinar from Cloudsmith and Kusari, our experts will show you how to turn security from a bottleneck into a force multiplier.

More Trust, Less Boo! Haunt-Free Deployments with Cloudsmith & Kusari

The recent npm supply chain attack was a wake-up call: open source dependencies are a critical risk vector. If your organization isn’t actively securing the way you source, store, and distribute software artifacts, you’re exposed.

Cristian Garcia

Senior Customer Success Manager

Gwen Burchell

Engineering Manager

The recent npm supply chain attack was a wake-up call: open source dependencies are one of the most critical risk vectors facing modern software teams. High-profile incidents like the npm cryptocurrency attack and the S1ngularity/nx breach have made it clear that vulnerabilities don’t just come from the code you write, they often hide in the transitive dependencies your applications rely on.

If your organization isn’t actively securing how you source, store, and distribute software artifacts, you’re exposed. And while you can’t stop attackers from trying, you can prepare to minimize risk and disruption when the next breach inevitably happens.

In this webinar, we’ll explore what these attacks revealed about dependency risk, why practices like lockfiles and dependency pinning matter, and how to build resilience with approaches like Continuous Security and Verified Registries. You’ll also see how Cloudsmith helps teams automatically mitigate malware and vulnerabilities, so you can stay ahead of threats without slowing development.

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

Not every CVE is worth chasing. In this webinar, we’ll show how to combine CVSS severity with EPSS exploitability inside Open Policy Agent (OPA) to automatically quarantine the vulnerabilities that matter most. 

Vulnerability management isn’t about patching everything - it’s about patching what actually matters. CVSS gives you severity. EPSS gives you probability. Together, they let you prioritize risk in a way that reflects real-world exploitation, not just theoretical impact.</>

In this session, we’ll show how to integrate EPSS and CVSS into Open Policy Agent (OPA) to automatically quarantine packages that cross defined thresholds. Using Rego, you’ll learn how to encode risk-based policies that block high-severity, high-likelihood vulnerabilities before they hit production - without slowing down development workflows.

From CVE Scores to Action: Enforcing Artifact Management Policies in OPA

Secure your CI/CD pipeline with Cloudsmith and Chainguard. This session will show you how to embed native artifact signing and enforce security policies within your workflows, enabling fast, trusted shipping without compromise.

Manfred Moser

Senior Principal Developer Relations Engineer

Mark McMurray

Senior Software Engineer

Join us for a hands-on session on securing modern CI/CD pipelines through native signing and real-time policy controls.
With software supply chain threats escalating, it’s critical to ensure only trusted, verifiable artifacts reach production. This session will show you how to integrate signing, provenance tracking, and policy checks directly into your CI/CD workflows - without slowing down delivery. 

See how Cloudsmith and Chainguard are advancing DevSecOps with end-to-end artifact security, SBOM integration, and policy-driven CI/CD pipelines. You’ll leave with actionable tools and proven strategies to harden your pipeline and ship with confidence.

Unlocking Software Integrity: Native Signing & Policy Enforcement

Artifact management is now central to secure software delivery - but AI, compliance, and scale are raising the stakes. Join us live as we unpack key insights from the 2025 Artifact Management Report and explore how teams are adapting to this fast-changing landscape.

The software development landscape is undergoing a major transformation driven by the rise of AI and automation. While these technologies offer incredible speed and innovation, they also introduce new pressures - demanding that software delivery be faster, more secure, and fully compliant with evolving global regulations.
Drawing on insights from over 300 engineering, DevOps, and security professionals, this webinar will examine how leading organizations are rethinking their artifact infrastructure to meet these modern challenges. From securing pipelines to navigating compliance, we’ll dive into the practical steps teams are taking to adapt.
We'll gain deeper insight into the challenges users face in securing AI-driven pipelines, especially as threats like AI malware hidden in unvetted dependencies (e.g., through manipulation techniques like slopsquatting) continue to emerge. We'll also explore developers' concerns around scalability, performance, and the security limitations of today’s artifact management systems.
In addition, we’ll cover how organizations are aligning with regulatory frameworks like SLSA, DORA, and the EU CRA by building in traceability, auditability, and automated policy enforcement. Finally, we’ll look at strategies for enabling cross-functional collaboration, while still maintaining strict governance, visibility, and control over the entire software supply chain.

 From AI to Scalability: 2025 Trends in Artifact Management

Software supply chain security is critical, yet artifact management often goes overlooked. Join Docker and Cloudsmith in this live webinar to explore how teams are securing the artifact lifecycle and staying ahead of evolving threats.

Michael Donovan

VP Product

Ralph McTeggart 

Principal Engineer

Jack Gibson

Containerized software and artifact management processes and technology have become soft spots in your software supply chain security — and attackers know it. From compromised CI/CD workflows to malicious open source packages, the threat surface has expanded — and attackers are increasingly targeting containers, registries, and build pipelines. Yet, many organizations still rely on default configurations, public registries, and unsigned packages — leaving critical blind spots in their security posture.

In this live session, Michael Donovan (VP of Product, Docker), Ralph McTeggart (Principal Engineer, Cloudsmith), and Jack Gibson (Senior Software Engineer, Cloudsmith) will walk through how leading teams are securing their software supply chains — with a sharp focus on artifact management. You’ll get a front-line view of how threats are evolving, how cybersecurity is reshaping security priorities, and what real-world strategies teams are using to lock down the full artifact lifecycle.

Topics will include
<ol>
<li>How attackers are targeting the software supply chain — and where your blind spots are; from tampered images to compromised CI/CD workflows, we’ll unpack real-world examples of how artifacts are being exploited — and why containers, public registries, and unsigned packages are common weak points</li>
<li>What a secure artifact lifecycle looks like in practice; learn the technical building blocks of a secure pipeline: signing, provenance via SLSA, tamper-proof storage, and enforcing policies without adding friction to dev workflows</li>
<li>How SBOMs and attestations create real visibility and trust. We’ll show how to integrate SBOMs and signed metadata into your pipeline for traceability — without slowing teams down</li>
<li>How to move toward zero-trust for artifacts - explore how forward-thinking teams are adopting cryptographic verification, trusted sources, and immutable audit logs to lock down the full software delivery process</li>
</ol>

State of the Union: Modern security approaches for the Software Supply Chain

Explore Helm chart security risks, real attacks, and vulnerabilities - learn how misconfigurations and dependencies threaten Kubernetes deployments.

As Kubernetes adoption grows, Helm charts have become a go-to for app deployment - but they come with security risks. Public charts often include misconfigurations, insecure defaults, and vulnerable dependencies, opening the door to privilege escalation, data leaks, or even full-cluster compromise.

This webinar explores the evolving threat landscape around Helm charts in public repositories. From real-world incidents, like the Codecov supply chain attack, to hypothetical attack vectors like "ChartSploit", we highlight how seemingly benign configurations can be exploited. You'll gain insights into the anatomy of vulnerable charts, key risk areas such as RBAC misconfigurations and dependency vulnerabilities, and what recent CNCF data tells us about industry-wide exposure.

Identifying vulnerabilities in public Kubernetes Helm charts

Watch this on-demand webinar to explore how data can be leveraged to protect your software supply chain. Learn how to extract actionable insights, enforce data-driven security policies, and enhance auditability with real-world strategies and examples.


Paddy Carey

Alison Sickelka

VP of Product

Dan McKinney

Solutions Engineer

In today’s rapidly evolving software landscape, organizations face unprecedented challenges in securing their supply chains. With deeper dependency trees, increasing third-party code contributions, and growing threats - from vulnerabilities and misconfigurations to malicious packages and targeted attacks - ensuring security without compromising agility has never been more critical.

Watch this on-demand webinar to explore how data can be leveraged to protect your software supply chain. Learn how to extract actionable insights, enforce data-driven security policies, and enhance auditability with real-world strategies and examples.

Gain the knowledge and tools needed to turn data into a powerful defense against ever-evolving threats. Watch now to strengthen your security posture and safeguard your organization’s software ecosystem.

Putting Your Data to Work to Protect Your Software Supply Chain

Glenn Weinstein, CEO of CloudSmith, and Ronan O'Dooley, VP of Engineering, share their expert predictions and valuable insights to help you navigate the future of software supply chain management.

Ronan O'Dulaing

VP of Engineering

Glenn Weinstein

As the software ecosystem grows more complex and security challenges become more pressing, staying informed on emerging trends and threats is crucial. Listen to Glenn Weinstein, CEO of CloudSmith, and Ronan O'Dooley, VP of Engineering, share their expert predictions and valuable insights to help you navigate the future of software supply chain management.

2025 Software Supply Chain Predictions 

During this pre-KubeCon webinar, we will tackle the big questions that should be at the center of conversation at this year's event.

2025 is almost upon us.

During this pre-KubeCon online event, we will tackle the big questions that should be at the center of conversation at this year's event.

If over 90% of software deployed is open-source; what’s the difference between software security and software supply chain management? How can platform teams protect their organizations from attacks? How can you grasp control without impeding developer velocity?

It's time for engineering leaders to make their IDP tooling bets.

KubeCon is the opportunity to answer these big questions and share ideas.

Don’t miss this opportunity to learn from the leading minds in the software supply chain management about the most pressing questions in the industry today ahead of the only event that matters.

 Policy Management - The Key to Unlocking a Secure Software Supply Chain

Join us as we explore the EU's Cyber Resilience Act, its potential impact on the OSS Community, and proactive measures you can take to prepare your team for its implementation. 

Nick Peacock

Senior Director, Customer Success

The European Parliament (EP) adopted a provisional version of the final text of the EU Cyber Resilience Act (CRA) on March 12, 2024, with the final version expected to be signed and published in October.

The EU's CyberResilienceAct (CRA) proposes stringent cybersecurity requirements for digital products, aiming to bolster security against cyberattacks. While it promises safer hardware and software, it also raises questions for Open Source contributors and organizations. Will they be liable for vulnerabilities in their code? Could this legislation stifle innovation or foster it?

Join us in exploring these questions to understand how the CRA underscores the imperative for open source organizations to advocate for their interests in policymaking.


EU's Cyber Resilience Act Repercussions in Open Source

In the final session of our summer series, we will explore why prioritizing artifact management is essential in advancing self-service IDPs and how the adoption of Cloudsmith offers solutions to the most common challenges in platform engineering teams.

Rob Godfrey

Senior Technical Architect

Antoine Tielbeke

DevOps Engineer

As DevOps evolves into platform engineering, the focus shifts to creating Internal Developer Platforms (IDPs) that offer self-service capabilities to developers, reducing cognitive load and streamlining development processes. Platform engineers are tasked with creating a multi-tenant SaaS approach in order to have centralized standardization, control, and governance.

In this session we will explore why prioritizing artifact management is essential in advancing to self-service IDPs and how adoption of Cloudsmith offers solutions to common challenges such as high infrastructure costs, managing security vulnerabilities, and maintaining productivity. Attendees will gain insights into best practices of implementing an artifact repository at the center of their CI/CD pipeline.


How Cloud-Native Artifact Management Can Facilitate the Move to Platform Engineering

The second session of our three-part summer series will help you assess and enhance your DevOps team's capabilities in preparation for transitioning to platform engineering using Omdia’s DevOps Maturity Checklist as our guide. 


Dave Bresci

Senior Manager, Site Reliability Engineering

Richard Vodden

Vice President of Technology

This webinar will help attendees assess and enhance their DevOps capabilities in preparation for transitioning to platform engineering using Omdia’s DevOps Maturity Checklist. We will cover key components like tools, culture, processes, and governance, and provide a structured self-assessment approach to identify team strengths and areas for improvement.  PagerDuty and Humanising Autonomy will join us to discuss their ongoing transformation and the challenges they’ve faced so far.


A Roadmap to Evaluating Your Organization’s DevOps Maturity

Discover how reimagining DevOps as platform engineering can create a more cohesive and streamlined approach to IT operations and development for your team in the first session of our three-part summer series.

Luca Galante

 VP, Product & Growth

Alan Carson

Co-founder and Chief Strategy Officer

As organizations continue to navigate the complexities of modern IT environments, the evolution from “DevOps” to “platform engineering” has emerged as a crucial next step in maximizing operational efficiency. By reimagining DevOps as platform engineering, organizations can create a more cohesive and streamlined approach to IT operations and development, breaking down the silos that often impede progress. In this webinar, the Cloudsmith team will explore Omdia’s latest Market Disruptors Report and discuss which critical success factors you need to consider before making the transition to platform engineering.



From DevOps to Platform Engineering: The Next Evolution

Discover how Cloudsmith's newly released support for Swift can revolutionize the way Swift developers manage dependencies.

Dave Verwer

Co-creator

Domagoj Katavic

Special guest Dave Verwer, co-creator of the Swift Package Index, will join us to discuss his role in developing the Swift Package Index for the community and the potential future of a Swift package registry. 

We will showcase Cloudsmith's newly released support for Swift, highlighting features like package hosting, vulnerability scanning, dependency management, and policy management. Discover how Cloudsmith's new capabilities can revolutionize the way Swift developers manage dependencies. Don't miss this opportunity to stay ahead in the ever-evolving world of Swift!




The Future of Managing Swift Dependencies | A New Era for Developers

Join Cloudsmith and Spacelift on June 5 at 12:00 pm EDT/5:00 pm GMT as we delve into the world of enforcing secure, automated deployment practices through Infrastructure as Code (IaC). 


Emin Alemdar

Solutions Architect

Ciara Carey

We are thrilled to welcome Emin Alemdar, Solutions Architect at Spacelift, CNCF Ambassador, AWS Container Hero, and holder of multiple certifications (CKA, CKS, and 6x AWS Certified), as our guest speaker.

Emin will share invaluable insights on streamlining infrastructure management with Spacelift's sophisticated CI/CD platform, which supports various IaC tools, including Terraform, Pulumi, and Kubernetes. 

Key topics include: 
- What is Infrastructure as Code (IaC)? 
- How tools like Terraform can help with automating IaC? 
- Best practices for ensuring secure and automated IaC deployments. 
- How Cloudsmith's seamless integration with Helm and Terraform simplifies artifact management, aligning with industry standards for security and automation.


Enforce Secure Automated Deployment Practices through IaC

Check out how to reduce the risk of data breaches by removing long-lived credentials from your CI/CD build pipelines using OpenID Connect (OIDC) authentication. 

We are back on May 22nd to see in action how OIDC tokens can provide enhanced security and convenience for your team, eliminating the need for long-lived credentials and reducing the risk of data breaches in your cloud environments. We'll demo how to connect to Cloudsmith to CI/CD pipelines using OpenID Connect (OIDC) authentication. 

Securely Connect Cloudsmith to Your CI/CD with OIDC Authentication

[00:00:00] **Ciara Carey:** Hey, so I'm Ciara Carey and welcome to Cloudsmith's webinar on all things package management and supply chain security. Cloudsmith is your cloud native universal artifact management platform. So let's get on to our topic. Oh, before I start, we're using a new webinar program. platform today. So excuse us if there's any hiccups streaming to any of the platforms.

[00:00:29] So let's get on. We know that managing authentication and authorization and a scalable, secure way is like a mega challenge for organizations. A lot of organizations want to move away from long live credentials, like your username or password, even your token, and especially in your CIS. CD tooling, where you're given like a extensive permissions.

[00:00:56] Well, you can do this with OIDC or OpenID 

[00:01:00] Connect. And today we're going to be talking about this, about configuring OID Connect with CloudSmith and GitHub Actions. So super practical, and this is sort of a continuation from our last webinar. In our last webinar, we talked to Rob Godfrey. He's a senior technical architect of the Financial Times, and he led a team that had to deal with an incident in early 2023 where they had to rotate and revoke all their long lived credentials in their, in their pipelines.

[00:01:29] After a breach, there was like thousands of, of long lived credentials they had to rotate and it was a huge task. Weeks of work from a team of engineers. And after that, they decided to move away from these long live credentials and use OIDC authentication wherever possible to make their pipelines more secure and more manageable.

[00:01:54] So what is it? These long live secrets in our CICD, well, we need 

[00:02:00] them because they facilitate access to all those cloud services for publishing artifacts for software deployment and cloud resource management. So like a classic. Use case for using long lived credentials in your CICD pipeline would be a user is created with the cloud service and this is we integrate this with our CICD, such as like AWS or, or CloudSmith, and we need permissions to perform actions like push a package or push something to an S3 bookish.

[00:02:34] So we, to do, to, to. Create these permissions, we, we create secret in our CICD, like our GitHub actions. And these credentials, these are saved and they're basically just long lived credentials then. And then we use them in as we're running our GitHub actions. And they have to have extensive permissions because they need to create stuff to delete stuff, to update stuff, you know, [00:03:00] they need to do stuff.

[00:03:00] So they need like a lot of permissions. And the problem with this is that like if they do leak. It, the blast radius is quite hard. So the main problem with long lived credentials are they can leak. Any credential can leak. They expire and then you have to you break your bill that way. So it's kind of hard to manage.

[00:03:21] And often these credentials, it's, it's, it's, It's common for them to be reused. So that increases the risk factor there. So what is OIDC? Well, OIDC stands for Open ID Connect. You don't have to completely understand it, I'm not for sure I fully understand it, but I do know how to use it. So but here's the two too long, didn't read the version of it.

[00:03:46] So we all know how to we've authenticated using OAuth into services using Google, Apple, and Facebook. We're kind of used to that. Well, similarly, similarly, OITC allows like a [00:04:00] trusted service, like OIDC identity providers, like GitHub actions. To authenticate into other systems like CloudSmith. And it's like a, in a non interactive way.

[00:04:12] And like by creating a short lived JWT token. So you, you can request these tokens on demand and they're good for like. 19 minutes or 15 minutes. I'm not really sure, but a short amount of time and then they expire and you don't need to worry about them leaking. So they keep you safe for production and you're able to do this, this process at scale.

[00:04:37] So now that I did a quick introduction, let's, let's show how you would configure this. using CloudSmith, configure CloudSmith to use GitHub actions so that GitHub actions is the OIDC identity provider. So our workflow would be like with our workflow would be in CloudSmith, we've 

[00:05:00] set up a service account and we'd give it the right permissions and also in CloudSmith, we set up our GitHub OIDC identity provider for the CloudSmith organization.

[00:05:12] And then in GitHub Actions, we update our GitHub Actions to use the OIDC. And then we trigger a build just like we would trigger something to happen. And it should pull down those creds to use with our CloudSmith Actions. So let's actually do a little demo. So I'm going to Share my screen. Forgive me, this is a new platform.

[00:05:39] Okay, I'm going to share my screen. It's happening. You

[00:05:43] can see, I've been studying this handshake thing with OIDC. Like I was saying before, we configure our cloud provider or our service like CloudSmith to trust GitHub Actions. There's some sort of handshaking going [00:06:00] on. And when we're running our job, it'll, it'll request a token and then it'll CloudSmith will verify that this is correct.

[00:06:08] Yeah. You can So let's see. So this is our Cloud Smith repository that we're going to use here. I'll just, there's a package in here. I'm going to just delete it.

[00:06:19] So first thing we need to do is to make sure that we have a service, service account. So here is our account. So I'm going to use this one, GitHub actions to To, uh, with the permissions in to run this in GitHub actions. Sorry to this. So the service service service account is called GH actions.

[00:06:41] Okay. This is my repository. I have my service service user, and now I'm going to make sure my my Service account has the right privileges. So in my, my repository, I'm going to go to access control

[00:06:58] and I've given the correct [00:07:00] privileges, right privileges to to this guy here,

[00:07:03] and now I'm going to set up OIDC, so I've so I'm calling it, so here I've already configured it, calling it gh2, and this is the URL you used to set up get up actions as the identity provider. It's the, it'll be the same for everybody. And then I'm going to set up my claims. Now the claims are actually really important because if you don't set up, set them up, you're giving like broad access to other runners on get up actions to possibly also have permission to, to do something to CloudSmith.

[00:07:40] So I have Restricted it to repository owner, which is me and that's my GitHub repository owner. And then I have selected my service account, my GitHub Actions service account as as the user. Okay, great. So I have set up GitHub Actions to have [00:08:00] permission. to authenticate into CloudSmith. And now I am going to go to my GitHub my GitHub project.

[00:08:10] So I have robbed this from Dan McKinney. Thank you very much. And it's just a little project to build a Debian package. I'm only interested in the workflow. So there's a few things that you, that are important. Okay. So. We're going to be using the CloudSmith action and we're going to trigger it on a push.

[00:08:35] We could have just triggered it on anything, but we'll trigger it on a push. And this part is really important for, this is actually necessary for the OIDC thing to work. You, you gotta, you gotta, and give the GitHub identity provider permission to write the, JWC token, which CloudSense will need later on.

[00:09:00] And so we have a job here to build this is just to build that package. And then we have a job to publish. And so, so this is the OIDC stuff here. So I, you need to have these lines, these two lines here to request the token. Yeah. And then post the token and then it's available for anyone below that can use that token and we need to set the environmental variable to be CloudSmith API key so that our CloudSmith action will will read that later on.

[00:09:37] Okay, and then we have we're going to push our package to CloudSmith and that's what this bit does here. So, okay, let's see. Let's get it going.

[00:09:53] I'm just going to force it. We run all jobs and you can see here, what I expect 

[00:10:00] in my repository

[00:10:03] is that push a Debian package to this repository using my

[00:10:09] Using the GitHub actions here, and it's going to use OIDC to authenticate. And I've set that up earlier. Okay. Yep. Yep. Yep. Yep. Yep. I'm going to run it now. If I had, obviously, if I've made a change if I push to change, it would automatically run.

[00:10:36] It's pretty quick.

[00:10:38] And to go back to the claims bit, I think it's really important to emphasize that you really should have a claim in your in your, in your OpenID token, you should really have set a claim. Otherwise, you're going to set too broad provisions. Okay,

[00:11:00] so now it's built that it's going to publish it.

[00:11:05] Okay, so you can see here it's published it and you can see the person that's published it is our service account gh actions. So it all looks good. I'm going to run this again and just show you when I that it will fail if I don't have, just, I always like to see things fail just so that you see what is working and what isn't working.

[00:11:30] So I'm going to disable. This GitHub action now. And when I run it again, this will fail. Okay.

[00:11:40] Now, we run all jobs.I probably should have just run the publish bit,
[00:11:47] like a good fail. Oh, okay. Come on. I'm rooting on you to fail now.

[00:11:57] Oh, yay. Oh, boo boo. But we knew this was going to 

[00:12:00] fail because we we updated what GitHub actions was permitted to do. Okay, great. Yeah. So I hope you've gotten something out of this. We've showed you a workflow. Oh let me on share back. Hey, so oh, I, so on this, so I've showed you a workflow how to use GitHub actions with Cloud Smith to, in a, using OIDC.

[00:12:31] It's like a more secure way so you don't have to store your cosmic credentials in your in your GitHub actions. In a, in a secret. And this is a manageable, secure, scalable way of managing your authentication and authorization for your organization. Yeah. I'm going to see if there's been any questions.

[00:12:56] Okay. I do have a poll, but it might be a bit late in 

[00:13:00] the day to do it. Okay. I'm going to try I'm going to publish this. Oh, there's two votes in. Okay. Okay. So I have a poll. There's two of them in do you use OIDC in your pipeline? So it's like. Most people don't and I think it's, it's sort of new, you know, and actually it's, it's, there's a lot of work in updating all those all those long live credentials.

[00:13:21] Totally understand that. So, and not all services provided. And let's see the Oh yeah. Have you ever had to, my other question is, have you ever had to revoke? Or rotate keys after an incident and it looks like everybody has. There are so many people voting, but I, I think it's, it's a thing you have to do.

[00:13:43] You know, things happen. People publish things by mistake. The services you're using might have a breach. These things happen and we need a, a better way. We need a better way. So thanks for coming today. I hope you've gotten something out of this.

[00:14:00] And are, we're actually going to have a webinar and only a few weeks time with Spacelift on how to securely deploy things using infrastructure as code.

[00:14:12] So thanks for joining today. And I will, and that is on the 5th of June and the, it's called enforce secure automated deployment practices using infrastructure as code. Okay. Thanks again. Bye!


Join Cloudsmith & guest Rob Godfrey, Senior Technical Architect at Financial Times, for DevOps Debriefs: discussing authentication's role in pipeline security. Find out how FT reacted to the CircleCI breach & how Cloudsmith's support of OIDC improved supply chain visibility

In our first episode of DevOps Debriefs, join Cloudsmith and special guest Rob Godfrey, Senior Technical Architect at the Financial Times (FT) for a discussion on the crucial role of authentication and credential management in ensuring software pipeline security.

We’ll discuss:
Innovative strategies that empowered the Financial Times team to overcome software supply chain risks in their pipelines.
How the team responded to the fallout of the CircleCI breach.
Insights into the challenges and triumphs as the Financial Times fortified its pipelines against potential risks.
The pivotal role of Cloudsmith in supporting FT's adoption of OIDC and providing comprehensive visibility into their entire software supply chain.

DevOps Debriefs: How The Financial Times Beat Leaks with OIDC

Join Cloudsmith and Chainguard as we talk about the easy way to securely consume Open Source Software (OSS) for your organization using Artifact Management and images with zero vulnerabilities.

Adrian Mouat 

Developer Relations

Join Cloudsmith and Chainguard as we talk about the easy way to securely consume Open Source Software (OSS) for your organization. Discover S2C2F best practices for securely consuming OSS and understand how Cloudsmith’s Cloud Native Artifact Management aligns with these standards. Learn about Chainguard zero CVE images drastically reduce vulnerabilities and image attack surface.

Do You Know How to Securely Consume Open Source?

Explore actionable vulnerability management workflows for your organization with Cloudsmith. Optimize software integrity and prevent risks. Join our webinar now!

Join us for a webinar on actionable vulnerability management workflows for your software pipelines using Cloudsmith. Understand the critical need to protect your organization’s software integrity from supply chain attacks and hidden vulnerabilities. Learn how Cloudsmith serves as your organization’s central source of truth for builds, mitigating risks, optimizing workflows, and ensuring global distribution. Explore Cloudsmith Navigator to safeguard your IP and prevent security breaches. Don’t risk the consequences of insecure software. Register now!

Practical Workflows for Managing Vulnerabilities Using Cloudsmith

Join us for a demo and Q&A on Cloudsmith's cloud-native, global, universal artifact management platform! Learn how Cloudsmith can help you secure your software supply chain, optimize your workflow, distribute software globally, and reduce infrastructure costs!

Paul McKeever

VP Growth

Join Dan and Paul for a demo and Q&amp;A on Cloudsmith’s Cloud Native Software Supply Chain Management Platform! Learn how Cloudsmith can help you secure your software supply chain, optimize your workflow, distribute software globally, and reduce infrastructure costs!

Intro to Cloudsmith 

Listen to Rust expert Carol Nichols discuss how adopting a memory-safe language like Rust can significantly reduce vulnerabilities.

Carol Nichols

Founder, CEO and author

Listen to Rust expert Carol Nichols discuss how adopting a memory-safe language like Rust can significantly reduce vulnerabilities.

Eliminating Vulnerabilities with Memory Safe Languages

Tune in to hear experts in leadership, DevOps and security look back on 2023

Josh Bressers

Luca Lanziani

Head of DevOps and Platform Engineering

Join our 2023 lookback at DevOps and supply chain security. How was DevOp investment in 2023? Are people generating SBOMs? Were there any major vulnerabilities like Log4Shell? Has there been a clampdown on cloud costs? And are we all using AI in our workflows? We have three wonderful panellists - Glenn Weinstein, CEO of Cloudsmith; Josh Bressers, VP of Security at Anchore; and Luca Lanziani, Head of DevOps and Platform Engineering at NearForm. Secure your spot for this tech-packed session!

Looking back at 2023: The State of DevOps

Tune in to learn how to securely use open source software using OpenSSF's S2C2F Framework

Adrian Diglio

Principal PM Manager

Tune in to learn about how to consume open source securely using S2C2F, an OpenSSF framework donated by Microsoft. Our guest is Adrian Diglio who leads the Secure Software Supply Chain team at Microsoft. Gain insights into leveraging the OpenSSF framework, and learn best practices for secure and efficient open source consumption. This webinar is essential for anybody navigating the landscape of open source security.

Consuming Open Source Securely Using S2C2F

Join us as we delve into a real-world zero-day supply chain attack and unpack its implications for any org making software

David Gonzalez

A Node.js module with nearly two million downloads a week was compromised after the library was injected with malicious code programmed to steal bitcoins in wallet apps. 
Join us as we delve into a real-world zero-day supply chain attack. Understand the response that followed, and how attacks like this can be mitigated. Learn from David Gonzalez, Principal Engineer at Cloudsmith and Member of the Node.js security working group, as he walks us through the incident.

Understanding Zero-Day Vulnerabilities in Software Supply Chain

Understand SLSA 1.0 and adopt a comprehensive checklist of software supply chain security measures

David Wheeler

Isaac Hepworth

Any organization that has taken on the daunting task of securing their software supply chain knows the challenges, pitfalls and caveats that come with implementing security best practices. SLSA 1.0, a community-backed framework that provides a comprehensive checklist of security controls and standards, is here! So what does it mean for you and your organization?

SLSA 1.0 is Here - What Does it Mean for Your Organization?

Join community leaders to discuss DevOps and Software Supply Chain Security trends for the upcoming year, exploring common and unique insights

Chris Hughes

Sam Cochran

Join us as we continue our December conversation and discuss our predictions for DevOps and Software Supply Chain Security for the year ahead with community leaders. We will delve into some common and not-so-common opinions and topics you are likely to hear more and more about as the year progresses.

The State of DevOps - A Look Ahead to 2023

Stay updated with software security insights from industry leaders. Join our panel featuring experts from Puppet and Shopify's advanced DevOps teams, addressing your major queries in an evolving landscape of news, regulations, and tools.

Nigel Kersten

Jacques Chester

There is so much information out there about software security. Every day, there seems to be a new news headline, government regulation, or tool promising to “fix it all”. Do you ever wish you could just peek into how some of the industry’s best dev teams are managing this?
We’ve assembled a panel of experts from the mature DevOps teams of Puppet and Shopify to answer some of your biggest questions

How do mature DevOps teams manage software security?

An overview of EU cybersecurity regulations and why they're relevant to org using open source software

OSS is incredibly positive - without projects like Docker, Kubernetes, Debian, NGINX, Apache, or others, technological innovation would be painfully slow. Its innovation, ease of use, and zero cost meant that nearly every piece of software contains OSS. OSS is everywhere, including data centres, hospitals, e-commerce, phone networks, mobile devices, and power stations. Last year, the Whitehouse issued an Executive Order after the fallout of SolarWinds. This kickstarted the use of SBOMs, a flurry of new projects to protect the supply chain, and the rise of OpenSSF. - How has the EU responded to Critical Threats in OSS? - Are the threats to the EU different from the USA? - The EU is not 1 country but is made up of 27 countries- how does this affect change? - Let’s look at Ireland as an example country in EU and how it is affected by threats to the OSS supply chain and how the EU helps.

The EU's Efforts to Secure Open Source Software

Rising software supply chain attacks shape a new norm for developers and security pros. Growing observability helps preempt disruptions. Cloudsmith and invited experts discuss its impact on supply chain security.

Tom Gibson

Claire Burn

Frequent software supply chain attacks are becoming the new normal for developers and security professionals everywhere. Even though it’s still relatively new, observability has continued to gain momentum as a way to identify software supply chain issues before they become a major disruption. Having access to the right data at the right time is necessary to make decisions about priorities.
We’ve assembled a panel of experts from software, security, and data to talk about observability and what it means to your software supply chain security.

Secure Your Software Supply Chain Using Observability

Learn about Software Bill of Materials, their benefits, and how to generate them

Software supply chain attacks using software vulnerabilities remain a key avenue of initial access for attackers.
Organizations had to scramble to find out if critical vulnerabilities like Log4J were running on their systems. In response, Software Bill of Materials or SBOMs are being quickly adopted by enterprises around the globe, so what are they all about? The Linux Foundation research team revealed that 78% of organizations expect to produce or consume the Software Bill of Materials (SBOMs) in 2022.
Watch this session from DevOps Con NYC to learn about this emerging standard, how it can improve the security of your supply chain, open source tools to help you generate and analyze SBOMs and the future of SBOMs.

SBOMs: The New Standard in Supply Chain Security

Join the team at Cloudsmith and Luke Hinds (RedHat/Stacklock) to learn essential tips for starting with software supply chain security 

Adil Leghari

Lee Skillen

Chief Technology Officer

Luke Hinds

Join the team at Cloudsmith and Luke Hinds (RedHat/Stacklock) to learn essential tips for starting with software supply chain security

Where to start with software supply chain security?

Learn how to improve your supply chain security workflow, enhance visibility

David Schmitt

Engineer

Chris Phillips

Software Engineer

Attend this webinar to learn how to improve your supply chain security workflow, enhance visibility, and prevent a disaster like Log4J by using Syft, Grype, Cosign, and Cloudsmith as the container registry.

Making SBOMs Actionable

Join Dan McKinney, Developer Relations at Cloudsmith for an introduction to Continuous Packaging, and to discuss what it takes to secure build and deployment pipelines

With the increased focus on software supply chain security, the question arises- what implications does that have for CI/CD processes and DevOps pipelines? Join Dan McKinney, Developer Relations at Cloudsmith for an introduction to Continuous Packaging, and to discuss what it takes to secure build and deployment pipelines.

The Future is Continuous Integration, Packaging and Delivery

[00:00:00] **Dan McKinney:** Hi everyone, and thanks for joining me for this talk. The future is continuous integration, packaging, and delivery. So what am I going to talk about today? Well, we will focus on package management, software supply chain security, and where and how continuous packaging fits. In a modern DevOps build and deployment or delivery pipeline.

[00:00:43] **Dan McKinney:** But first, I'd like to take a moment to just introduce myself. So my name is Dan McKinney. I'm based in Belfast in the UK and Northern Ireland, and I'm part of the Developer Relations team at Cloudsmith. Now, I've been embedded with or working alongside software development teams for over 10 years now.

[00:01:06] **Dan McKinney:** Actually, uh, approaching 13 years. And at Cloudsmith, It's my role to get out into the community and help and educate, but also to provide feedback from the community to our internal engineering and product teams. I'm passionate about all things focused on software supply chain security. As I believe that effective package management tools and processes are a cornerstone of a secure software supply chain.

[00:01:44] **Dan McKinney:** I'm also very passionate about good documentation. It's, it's a super important part of any tool or product, and it really does go hand in hand with the, the education side of my DevRel world. And outside of package management and software supply chains, I'm slightly obsessed with Lego and music. I genuinely do go a bit over the top with my Lego collection.

[00:02:15] **Dan McKinney:** I'm completely running out of space to store it all. And likewise, I actually work as a DJ at the weekends. So that's how I can get to flex my, you know, music muscle memory. That photo is actually a picture of me. DJing, I've cropped it and resized it to fit many purposes over the years. Now you can find me on Twitter at dev rel.

[00:02:40] **Dan McKinney:** Dan, my dms are open and I'm always happy to chat, so please come follow along and reach out to me E, especially if it's about Lego. And now just a quick introduction to CL Smith. So, so what is Cloudsmith? Well, Cloudsmith is, is a fully managed package management as a service. We enable your team to quickly set up a private and secure delivery pipeline in just a few minutes.

[00:03:11] **Dan McKinney:** Now, what does that mean? Well, it means that we provide the ability to create universal multi format repositories for over 28 package formats so that you can store, but more importantly, control access to all of your packages, artifacts, and container images. in one place. So it's a single source of truth for all the artifacts that you produce and dependencies that you consume.

[00:03:42] **Dan McKinney:** And it's also the single pane of glass that provides you with the visibility, control, and, and security to protect your teams, your processes, and and your end users or customers from supply chain attacks, you know, enabling performance. Global secure package distribution. So let's kick things off by, by asking the question, what is continuous packaging?

[00:04:17] **Dan McKinney:** Well, in a, in a statement, continuous packaging is the art and science of continuously building packages and containers to securely automate software pipelines. Now that's. I actually think that's a lovely summary statement, but what does it really mean? Well, it means that continuous packaging is a, it's a concept that at its heart is focused on the packages and containers that flow into and out of your CICD processes.

[00:05:00] **Dan McKinney:** And it's there to help secure these. It's about, it's about building and automating processes that allow you to manage and control the flow of these throughout your build and deployment pipelines. Now, what, what is it not? Well, continuous packaging is, is not, it's not one specific tool or application, although it does make use of new Cloud native package management, a new security tooling that is being developed now in this space, but it's, it's the concept of treating all packages and software artifacts.

[00:05:43] **Dan McKinney:** As, um, as specific units of value, continuous packaging helps to fill the gaps between continuous integration and continuous deployment or delivery. So I suppose another way to think about this is what, what does this look like?

[00:06:06] **Dan McKinney:** Okay, so here we have an example, continuous integration, packaging and deployment or delivery process. So let's start with continuous integration on the left here. Now, this is where we take our source and continuously integrate it. And you'll be familiar with this. Many people are familiar with this. It's very well established.

[00:06:30] **Dan McKinney:** And when I say we take our source and continuously integrate it, I mean, we, we scan it for vulnerabilities. We build it and therefore consuming dependencies from our, our universal package repository, not directly from public package sources. And we'll, we'll expand on that later. And then we package this build and we push it back to our centralized package store, our universal package repository service.

[00:06:56] **Dan McKinney:** And you can see that the package repository service, it really is, of course, at the core of this process. So then in the center that this allows us to build a continuous packaging process where we can perform actions like isolating dependencies from from untrusted third party sources, like those upstream public package repositories we mentioned, and we can, we can also verify and.

[00:07:28] **Dan McKinney:** Scan all packages, accepting or rejecting packages as needed. What we're doing here is effectively what we're building out our, our S bomb, our software bill of materials, which if we go back to just earlier is now really a, a verified list of our units of value. Now, this is the place that some of our new tooling comes into play a package management services with advanced features that enable and allow us to automate these workflows, then from from here, you know, on the right hand side, we can go on to continuously deploy these artifacts to our end users, customers, or production systems.

[00:08:17] **Dan McKinney:** Using our existing continuous delivery and deployment tools and processes and a global package delivery network, which is another component of continuous packaging, and we will look at that in more detail in a moment as well. This is why we at Cloudsmith say continuous packaging, it sits in between, but it also overlaps continuous integration and continuous deployment or continuous delivery.

[00:08:51] **Dan McKinney:** It sits in the middle of, but integrates with and enhances both sides of this process. So, I suppose to put it basically then, continuous packaging gives your team security, control, visibility, and management over built artifacts and incoming artifacts. Now some of the, the core benefits that you get from implementing continuous packaging processes are provenance, isolation, and acceleration.

[00:09:34] **Dan McKinney:** Now we'll discuss these. So let's think about them in a bit more detail and let's take each one in turn. We'll start with, with provenance. So, so provenance, what is Well, provenance is about building a verifiable chain of trust for all packages and artifacts that you consume, but also for those that you deploy with things like a single source of truth and package signatures and package checksums, and even an audit trail of package events.

[00:10:19] **Dan McKinney:** That gives you the the life cycle of a package. Now, some things like package signatures have been available now in one form or another for for a long time, but it's only more recently and very much. Pushed on by the, the explosion of software supply chain attacks in recent years. But it's only recently that the tooling has improved to the point that things like package signatures are becoming the default.

[00:10:55] **Dan McKinney:** So with tools like things from the SIGstore project, Cosign, for example, for, for container signatures, well, they've been explicitly designed to take the pain. Out of managing and verifying package and container provenance and to make it all more, more amenable to, to automation so that you can build provenance right into your continuous packaging processes.

[00:11:25] **Dan McKinney:** That's a huge part of continuous packaging. And it's also things like vulnerability scanning so continuously scanning your artifacts and images, so that, say, in the event of another CV like log for shell being identified. You know, you can react very quickly and, and both block future use of affected artifacts, but also audit the previous use and deployment of affected artifacts.

[00:12:03] **Dan McKinney:** So it works both ways. So speaking of, of blocking the use of specific artifacts. That brings me to the next benefit to my next point, which is isolation. So again, what do we mean by isolation? Well, we are specifically thinking here about packages consumed from public repositories repositories that are Outside of your control, typically open source packages and nearly all software development now uses open source packages in some form, somewhere down the dependency tree isolation, it's, it's the ability to to cache packages from public upstream repositories yourself.

[00:13:00] **Dan McKinney:** So basically inserting a layer. between you and your processes and the public repositories. Now, this is valuable for several reasons. This really does have value. The first reason is, is package availability. Because, you know, securing the availability of your packages is a very important part of a secure software supply chain.

[00:13:28] **Dan McKinney:** Now, when people think of software supply chain security, It's very typical, and they do typically think of CVs and malware and other traditional security and nasties. But the availability of the software components you rely on is also vital. If you can't access the items that are part of your software bill of materials, your SBOM, if you can't access those items that you need to build your software, your supply chain is broken and you can't build.

[00:14:04] **Dan McKinney:** Thank you. or deploy. So isolation protects you from issues with upstream availability. So it's important to use tools that can cache packages from upstream sources and in doing so you effectively remove your reliance on the availability of that source. And this has knock on effects on your ability to control the consumption of artifacts that may have vulnerabilities.

[00:14:36] **Dan McKinney:** It allows you to pull packages from public sources into, into a sort of quarantine where you can then run your scans and checks and all of your security processes against these packages. And once those checks and security processes pass, you can then promote those packages to another repository that only then contains approved, cleared packages.

[00:15:07] **Dan McKinney:** At Cloudsmith, we call this a package promotion workflow. And again, the tooling needs to and should support this. and enable you to automate it as well. Automation is key. Now this does even extend to simpler cases like take for example, if, if If the licensing terms just change for a package again, that isolation, it protects you from this until you can respond appropriately.

[00:15:43] **Dan McKinney:** And with those cash packages, you'll still have previous older versions of a package. It won't last forever, but maybe buy you some time to put a process in place where you can address that. So I suppose in short, isolation, it really enables you to be a curator of packages, not just a consumer of packages.

[00:16:12] **Dan McKinney:** So what then does that leave us with? After you can control and prove package provenance, after you have isolated yourself from public package repositories, You then need to effectively deliver these artifacts and packages to your users, processes, and systems. And that brings us to our next point.

[00:16:37] **Dan McKinney:** Acceleration.

[00:16:42] **Dan McKinney:** So acceleration, what is acceleration? That's being able to accommodate all users and build systems in an equally performant way, regardless of geographic location. So cloud native tooling here is all about. It's all about leveling that playing field for all participants, enabling the processes to work effectively for all involved.

[00:17:12] **Dan McKinney:** That means systems and processes that support all the different package and artifact types natively. integrating with native client package management tooling in a performant and efficient way. Now, not all package, not all package formats or package management tools are equal in this regard. Some package protocols are, are very noticeably chattier and less efficient than others.

[00:17:42] **Dan McKinney:** So you need things like the ability to accelerate. index creation in repositories. I, I need, you know, ideally done dynamically to deliver packages to the edge at speed. Then what is the edge? Well, the edge is what we at Cloudsmith have termed a package delivery network. It's effectively a smart CDN. It's built specifically for the distribution of software packages, artifacts, and container images.

[00:18:25] **Dan McKinney:** It's context aware. It knows that handling specific package protocols, uh, it knows that it is handling those package protocols and it deploys as much logic to the edge nodes themselves. as possible. And maybe the best example here is authentication and authorization. So by performing authentication and authorization at the edge nodes themselves, pushing that application logic out there, this accelerates the delivery of packages from the edge cache, meaning that globally distributed development teams.

[00:19:05] **Dan McKinney:** And users or customers or deployment processes all get efficient, low latency performance. And it's a vital component of a continuous packaging process at scale. So if this has sounded interesting, you're interested in continuous packaging and some of the benefits. How do you actually get started? What steps do you need to take?

[00:19:35] **Dan McKinney:** Well, the good. No, I'll rephrase that. The great news here. Is that you have likely already started without even realizing it. You're not starting from a blank page. And that's because package management itself is the foundation. And if you have any kind of CI or CD processes in place, then you are, of course, already consuming and producing packages all the time.

[00:20:06] **Dan McKinney:** Continuous packaging itself. It's an extension or evolution of package management. It brings package management forward into the era of increased focus on supply chain security. So how you progress from where you are now is by employing new tooling to build upon the foundations you already have in place.

[00:20:32] **Dan McKinney:** Modern cloud native package management tooling that should enable you. To build these continuous packaging workflows and processes.

[00:20:44] **Dan McKinney:** So in summary, and as I mentioned earlier in the talk, continuous packaging gives your team security, control, visibility, and management over incoming assets and built assets. And I think the key takeaways here today are that continuous packaging enables provenance. It provides that chain of trust.

[00:21:08] **Dan McKinney:** Isolation. That gives you control and visibility and acceleration with a package delivery network that cloud native acceleration to accommodate distributed teams, users, and processes. Now, this is only going to become more, not less important. Software supply chain security is more important now than it ever was before.

[00:21:33] **Dan McKinney:** And it was always important even to begin with. And with that, I'll finish. Thanks so much for taking the time to watch and listen. If you'd like to learn more about Continuous Packaging, do please feel free to reach out to me or come and chat to the team at Cloudsmith. We're always happy to discuss software supply chain security, continuous packaging, and package management in general.

[00:22:02] **Dan McKinney:** And we would love to hear your thoughts, input, and feedback. So thanks again, and I hope that you enjoy the rest of your day.



Cloudsmith Events

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

More Trust, Less Boo! Haunt-Free Deployments with Cloudsmith & Kusari

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

From CVE Scores to Action: Enforcing Artifact Management Policies in OPA