Secure your CI/CD pipeline with Cloudsmith and Chainguard. This session will show you how to embed native artifact signing and enforce security policies within your workflows, enabling fast, trusted shipping without compromise.

Manfred Moser

Senior Principal Developer Relations Engineer

Liana Ertz

Product Manager

Mark McMurray

Senior Software Engineer

Join us for a hands-on session on securing modern CI/CD pipelines through native signing and real-time policy controls.
With software supply chain threats escalating, it’s critical to ensure only trusted, verifiable artifacts reach production. This session will show you how to integrate signing, provenance tracking, and policy checks directly into your CI/CD workflows - without slowing down delivery. 

See how Cloudsmith and Chainguard are advancing DevSecOps with end-to-end artifact security, SBOM integration, and policy-driven CI/CD pipelines. You’ll leave with actionable tools and proven strategies to harden your pipeline and ship with confidence.

Unlocking Software Integrity: Native Signing & Policy Enforcement

Chainguard

CI/CD

Signatures

Security

The recent npm supply chain attack was a wake-up call: open source dependencies are a critical risk vector. If your organization isn’t actively securing the way you source, store, and distribute software artifacts, you’re exposed.

Cristian Garcia

Senior Customer Success Manager

Gwen Burchell

Engineering Manager

The recent npm supply chain attack was a wake-up call: open source dependencies are one of the most critical risk vectors facing modern software teams. High-profile incidents like the npm cryptocurrency attack and the S1ngularity/nx breach have made it clear that vulnerabilities don’t just come from the code you write, they often hide in the transitive dependencies your applications rely on.

If your organization isn’t actively securing how you source, store, and distribute software artifacts, you’re exposed. And while you can’t stop attackers from trying, you can prepare to minimize risk and disruption when the next breach inevitably happens.

In this webinar, we’ll explore what these attacks revealed about dependency risk, why practices like lockfiles and dependency pinning matter, and how to build resilience with approaches like Continuous Security and Verified Registries. You’ll also see how Cloudsmith helps teams automatically mitigate malware and vulnerabilities, so you can stay ahead of threats without slowing development.

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

Not every CVE is worth chasing. In this webinar, we’ll show how to combine CVSS severity with EPSS exploitability inside Open Policy Agent (OPA) to automatically quarantine the vulnerabilities that matter most. 

Nigel Douglas

Head of Developer Relations

Vulnerability management isn’t about patching everything - it’s about patching what actually matters. CVSS gives you severity. EPSS gives you probability. Together, they let you prioritize risk in a way that reflects real-world exploitation, not just theoretical impact.</>

In this session, we’ll show how to integrate EPSS and CVSS into Open Policy Agent (OPA) to automatically quarantine packages that cross defined thresholds. Using Rego, you’ll learn how to encode risk-based policies that block high-severity, high-likelihood vulnerabilities before they hit production - without slowing down development workflows.

From CVE Scores to Action: Enforcing Artifact Management Policies in OPA

Sofware supply chain security

Vulnerability Management

Artifact management is now central to secure software delivery - but AI, compliance, and scale are raising the stakes. Join us live as we unpack key insights from the 2025 Artifact Management Report and explore how teams are adapting to this fast-changing landscape.

The software development landscape is undergoing a major transformation driven by the rise of AI and automation. While these technologies offer incredible speed and innovation, they also introduce new pressures - demanding that software delivery be faster, more secure, and fully compliant with evolving global regulations.
Drawing on insights from over 300 engineering, DevOps, and security professionals, this webinar will examine how leading organizations are rethinking their artifact infrastructure to meet these modern challenges. From securing pipelines to navigating compliance, we’ll dive into the practical steps teams are taking to adapt.
We'll gain deeper insight into the challenges users face in securing AI-driven pipelines, especially as threats like AI malware hidden in unvetted dependencies (e.g., through manipulation techniques like slopsquatting) continue to emerge. We'll also explore developers' concerns around scalability, performance, and the security limitations of today’s artifact management systems.
In addition, we’ll cover how organizations are aligning with regulatory frameworks like SLSA, DORA, and the EU CRA by building in traceability, auditability, and automated policy enforcement. Finally, we’ll look at strategies for enabling cross-functional collaboration, while still maintaining strict governance, visibility, and control over the entire software supply chain.

 From AI to Scalability: 2025 Trends in Artifact Management

2025 Artifact Management Report

artifact management

SLSA

DORA

NIS2

Software supply chain security is critical, yet artifact management often goes overlooked. Join Docker and Cloudsmith in this live webinar to explore how teams are securing the artifact lifecycle and staying ahead of evolving threats.

Michael Donovan

VP Product

Ralph McTeggart 

Principal Engineer

Jack Gibson

Containerized software and artifact management processes and technology have become soft spots in your software supply chain security — and attackers know it. From compromised CI/CD workflows to malicious open source packages, the threat surface has expanded — and attackers are increasingly targeting containers, registries, and build pipelines. Yet, many organizations still rely on default configurations, public registries, and unsigned packages — leaving critical blind spots in their security posture.

In this live session, Michael Donovan (VP of Product, Docker), Ralph McTeggart (Principal Engineer, Cloudsmith), and Jack Gibson (Senior Software Engineer, Cloudsmith) will walk through how leading teams are securing their software supply chains — with a sharp focus on artifact management. You’ll get a front-line view of how threats are evolving, how cybersecurity is reshaping security priorities, and what real-world strategies teams are using to lock down the full artifact lifecycle.

Topics will include
<ol>
<li>How attackers are targeting the software supply chain — and where your blind spots are; from tampered images to compromised CI/CD workflows, we’ll unpack real-world examples of how artifacts are being exploited — and why containers, public registries, and unsigned packages are common weak points</li>
<li>What a secure artifact lifecycle looks like in practice; learn the technical building blocks of a secure pipeline: signing, provenance via SLSA, tamper-proof storage, and enforcing policies without adding friction to dev workflows</li>
<li>How SBOMs and attestations create real visibility and trust. We’ll show how to integrate SBOMs and signed metadata into your pipeline for traceability — without slowing teams down</li>
<li>How to move toward zero-trust for artifacts - explore how forward-thinking teams are adopting cryptographic verification, trusted sources, and immutable audit logs to lock down the full software delivery process</li>
</ol>

Unlocking Software Integrity: Native Signing & Policy Enforcement

Things you'll learn

Speakers

Summary

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

From CVE Scores to Action: Enforcing Artifact Management Policies in OPA

From AI to Scalability: 2025 Trends in Artifact Management

State of the Union: Modern security approaches for the Software Supply Chain