Block vulnerable packages at the gate.

Traditional scanning flags a problem after the package is already in your registry. Cloudsmith enforces policy at ingestion, blocking before a vulnerable artifact reaches a developer.

The Cloudsmith difference

Policy enforcement at ingestion

Rules run when a package arrives, not after it lands. Vulnerable packages are quarantined or blocked before any developer can pull them. No manual triage step. No report to action.

One platform for every format

Packages, Docker, Helm, NuGet, PyPI and many more - all in a single registry with consistent policy enforcement across every format. No more splitting tooling between Nexus and Artifactory.

No infrastructure to manage

Cloudsmith is fully managed. No servers to patch. No upgrades to schedule. Your security and platform teams apply controls - they don't operate the infrastructure those controls run on.

The gap between scan and enforcement

Traditional tools scan packages after they enter the registry. By the time a vulnerability report is generated, the package is already available to developers. Someone has to read the report, identify which packages are affected, find every team consuming them, assess blast radius, and coordinate remediation. That process is manual, slow, and error-prone, and repeats every time a new CVE is disclosed. Cloudsmith enforces policy before a package is consumable. Vulnerable artifacts are quarantined or blocked at ingestion. There is no report loop because the problem is stopped at the point of entry.

Your current solutionScans run after the package is already in the registry. There is a gap between a package arriving and a vulnerability being flagged.

With CloudsmithPolicy runs at the point of ingestion. A package that violates the rules is quarantined immediately. Developers never see it.

Your current solutionNexus IQ generates a report. An engineer reads it, works out which packages are affected, identifies every consuming team, and coordinates remediation manually. This happens every time a new CVE lands.

With CloudsmithCloudsmith quarantines the package automatically. Security teams review the quarantine queue and decide to release or permanently block. The workflow is defined by policy, not improvised per incident.

Your current solutionTracing blast radius is a manual process. Application teams are left investigate this themselves, inconsistently, every time.

With CloudsmithCloudsmith gives you a dependency graph across every package in every repository. When a CVE is disclosed, you know immediately which packages are affected and which teams have pulled them.

Your current solutionNexus handles packages. Artifactory handles Docker. Two platforms, two access models, two sets of policies to maintain, two audit trails to reconcile. Consistent enforcement across both is a manual effort.

With CloudsmithOne platform handles packages, Docker images, and every other format your teams produce and consume. Policy is defined once and applied consistently across all of them. One audit trail, one access model, one set of controls.

Security controls that run at ingestion

Cloudsmith's Enterprise Policy Manager uses OPA Rego to define rules as code. When a package arrives, those rules run before the package is made available to developers. A package that violates a CVSS threshold is quarantined immediately. A package with a prohibited license is blocked automatically. Security teams define the rules once, Cloudsmith then enforces them everywhere, across every format, every repository, and every team.

Policies written in OPA Rego: version-controlled, reviewable, and applied consistently across every repository
Packages violating severity thresholds are quarantined automatically on arrival
Security teams review the quarantine queue and release or block - no manual triage of ad-hoc reports
License compliance violations are caught at ingestion

Learn how policy enforcement works

Quarantine is a hard gate

Quarantine isn't a label applied to a package that developers can still pull. It is a hard gate. A quarantined package is inaccessible by developers. It does not appear in search results and can't be resolved as a dependency. A developer pulling that package gets a resolution failure, not a silent warning. When a CVE is newly disclosed, Cloudsmith rescans existing packages against the updated database. Packages that now violate policy are quarantined automatically and developers are told why.

Packages matching policy violations are quarantined on arrival — inaccessible to developers until reviewed
Security teams release or permanently block from a single queue
Continuous rescan means newly disclosed CVEs trigger quarantine retroactively across existing packages
Full audit log captures every quarantine event, decision, and actor
Malware detection runs alongside CVE scanning — both at ingestion

See quarantine and blocking in action

Dependency graph visibility

Cloudsmith's dependency graph shows every package in every repository, what it depends on, and which teams are consuming it. When a CVE lands, you know the blast radius immediately. No manual investigation, no cross-team interviews.

Full audit trail

Every push, pull, policy trigger, quarantine event, and configuration change is logged with full context — who, what, when, from where. Client logs and audit trails export to your SIEM or S3. Compliance and incident response have the evidence they need.

Continuous vulnerability scanning

Cloudsmith scans against multiple vulnerability data sources, not just NVD. Continuous rescan means your repositories stay current as new CVEs are disclosed — no manual sweep required, and no reliance on a single feed with known backlog issues.

Repository structure mapping

Cloudsmith maps your existing Nexus and Artifactory repository structure format by format, with metadata preserved.

Phased artifact transfer, no downtime

Artifacts migrate in phases. Your teams continue resolving from existing registries until each repository is cut over. No big-bang migration, no forced downtime window.

Pipeline and credential migration

CI/CD pipelines, environment variables, and package manager configuration are updated to point to Cloudsmith endpoints. Upstream proxying means public dependencies resolve through Cloudsmith from day one.

Dedicated onboarding support

Cloudsmith's onboarding team works with your security and platform engineers through every stage. Named contacts, agreed deadlines, and regular check-ins — not self-serve documentation.

Before

ConstructConnect's InfoSec team demanded stronger supply chain security controls – but their tooling couldn't deliver. Vulnerability scanning existed, but enforcing policy compliance across a fragmented artifact estate was manual and inconsistent. Development teams spent time on pipeline workarounds instead of shipping features. With over 100 engineers working across npm, Helm, Maven, Python, NuGet, and Docker, the lack of centralized governance created real risk – and real overhead.

With Cloudsmith

ConstructConnect deployed Cloudsmith's Enterprise Policy Manager to automate quarantine and blocking of non-compliant and vulnerable packages. Vulnerability scanning, license scanning, package signing, and SBOM generation became part of every pipeline – not a separate compliance exercise. Only artifacts that pass scanning reach development teams. Multi-format repositories replaced a fragmented estate of individual repositories, cutting management overhead across the team.

Results

Governance scores improved quarter on quarter
Near-zero high and critical vulnerabilities across the supply chain
InfoSec team gained the visibility to act on vulnerabilities, not just identify them
Developers moved from managing pipeline workarounds to delivering features
Every artifact reaching production is verified and compliant