Private registries for PyPI, Docker, and Helm. Security policy that scales

ElevenLabs ships fast and hires faster. Cloudsmith gives the security team the controls to keep up, without getting in the way of engineering.

Book a 20-minute call
See how it works

What Cloudsmith gives ElevenLabs

  1. Private registries for 30+ formats
    One platform for the artifact formats ElevenLabs already uses. Engineers point at Cloudsmith instead of public registries. The workflow stays the same; the control improves.
  2. Policy enforcement at ingestion
    Vulnerability scanning on every package pushed or proxied. OPA Rego-based policy blocks non-compliant packages across every format before they reach any build. Define the rules once; Cloudsmith applies them everywhere.
  3. A complete audit trail
    Every package pull, every version, every user, logged with full context. This is essential when enterprise customers ask questions about supply chain practices, and indispensable when investigating an incident.

Going from a startup to 900 engineers in three years creates an artifact management challenge.

The further you get from a small team with shared context, the harder it is to know what's coming into your builds. New engineers onboard and start pulling from public PyPI, Docker Hub, and Helm repositories. There's no central point where policy gets applied, and no log of what came in from where. For ElevenLabs, this matters in two concrete ways. Your enterprise customers face strict supply chain compliance requirements, and that scrutiny flows to their vendors. As ElevenLabs distributes its own SDK, your packaging practices affect your customers' software supply chains. Cloudsmith gives the security team visibility and control over every artifact moving through the pipeline, without slowing down the engineers using it.

    What changes when security has a single control point for artifacts

    When 900 engineers pull packages from public registries, the attack surface grows with every new hire. These are the failure modes that accumulate quietly until something goes wrong.
    Before CloudsmithEngineers pull from public PyPI, Docker Hub, and Artifact Hub directly. Security has no log of what came in, from where, or which engineer pulled it. When something goes wrong, the investigation starts from scratch.
    With CloudsmithEvery package pull routes through Cloudsmith. Security sees every request: package name, version, user, timestamp, source registry. The audit trail is complete before anyone asks for it.
    Before CloudsmithVulnerability scanning happens in CI, if it happens at all. A malicious or vulnerable package can reach a build environment before any check runs. By that point, damage can happen and remediation can take days.
    With CloudsmithCloudsmith scans every package on ingestion against OSV, Trivy, and other vulnerability databases. A CVE-loaded package gets flagged before it reaches any engineer's build. Policy rules can quarantine it automatically.
    Before CloudsmithEngineers pull directly from public registries. A typosquatted package, a compromised upstream, or a PyPI outage all hit your pipelines directly. There's no buffer between public registries and your builds.
    With CloudsmithCloudsmith proxies and caches public registries on behalf of your engineers. Packages resolve through Cloudsmith, which means policy and scanning apply to upstream dependencies too.
    Before CloudsmithElevenLabs publishes its Python SDK to PyPI. Without a managed artifact pipeline, there's no automated policy check on what gets published, and no audit trail to show customers when they ask about your supply chain practices.
    With CloudsmithCloudsmith manages the publish pipeline for your SDK alongside your internal artifacts. Policy gates run before publication. The audit trail covers every version published. You have the information needed to answer your customers' questions.
    How Cloudsmith works for ElevenLabs

    Private registries. Upstream proxying. Policy enforcement.

    Cloudsmith supports PyPI, Docker, Helm, and more than 30 formats from a single platform. You get one control plane for every artifact format your teams use.

    Private PyPI, Docker, and Helm registries

    Engineers point at Cloudsmith instead of public registries. Their workflow doesn't change – pip install, docker pull – helm fetch, but every request now routes through a registry your security team controls.

    Upstream proxying and caching

    Cloudsmith proxies key registries on your behalf, caching packages locally. Engineers get fast resolution. Security gets a single point where policy applies to upstream dependencies.

    Automated vulnerability scanning

    Cloudsmith scans every package on ingestion and on push. Cloudsmith re-scans existing packages when new CVEs are disclosed. Security teams set policy thresholds; packages that breach them are quarantined automatically.

    Policy and license controls with OPA Rego

    Define rules for approved packages, license types, and vulnerability severity using OPA Rego. Rules are version-controlled and applied consistently across every team and repository in the organization.

    Full audit trail

    Every push, pull, and policy event is logged with full context: who, what, when, and from where. Logs export to S3 or Azure. When customers ask about your supply chain practices, the answers are ready.

    SBOM generation and package signing

    Cloudsmith generates SBOMs across your container images, giving your security team a live dependency inventory. Cloudsmith signs packages with GPG and PGP standards, so every consumer has confidence in provenance and integrity.

    Your SDK is part of your customers' supply chains.

    ElevenLabs publishes and maintains an SDK on PyPI. Every enterprise customer who installs elevenlabs is pulling an artifact from your supply chain into their environment. When your customers' security teams audit third-party SDKs, they're looking at package provenance, signing, vulnerability status, and publication history. If you can't answer those questions, the conversation gets uncomfortable. Cloudsmith manages SDK publication the same way it manages internal artifacts. Policy runs before anything is published. Every version is logged. Package signing covers provenance end-to-end. The audit trail is there before anyone asks for it.
    Fast-growing teams trust Cloudsmith
    Cloudsmith just works - whether it's failover, automation, or support. It's the first platform we've used that feels like a true partner in how we build and operate software.

    Michael Boldischar

    Software Engineering Manager @ Thrivent

    The challenge

    Thrivent relied on a single on-prem artifact server hosted in their data center. Geographically distributed teams experienced inconsistent package delivery, slow build times, and mounting infrastructure maintenance overhead.

    With Cloudsmith

    Teams no longer needed to maintain databases, optimize edge nodes, or manage on-prem infrastructure. Cloudsmith's high-concurrency architecture removed the bottlenecks that had been slowing pipelines during peak CI/CD demand.

    Results
    • Artifact-management-related incidents decreased by 62%
    • Significantly reduced infrastructure costs and maintenance overhead
    • Consistent, low-latency artifact access for distributed teams
    G2 logo
    Trusted by engineering and security teams at Fortune 500 companies.
    Momentum leaderLeaderHighest user adoption

    See what Cloudsmith looks like in ElevenLabs' environment

    Private PyPI, Docker, and Helm registries. Upstream proxying. Vulnerability scanning on every artifact. Policy enforcement before packages reach your builds. Book a 20-minute call and we'll show you how it works with your stack.