---
title: "Policy enforcement at ingestion, not after the fact | Cloudsmith for Intact Financial"
description: "Intact Financial's security teams need policy enforcement at artifact ingestion, not after the fact. Cloudsmith replaces the Nexus IQ report loop with automated quarantine and blocking — before a vulnerable package reaches a developer."
canonical_url: "https://cloudsmith.com/loves/intact-financial"
last_updated: "2026-06-08T10:53:02Z"
---
# Policy enforcement at ingestion, not after the fact | Cloudsmith for Intact Financial

Cloudsmith for Intact Financial

## Block vulnerable packages at the gate. 

Traditional scanning flags a problem after the package is already in your registry. Cloudsmith enforces policy at ingestion, blocking before a vulnerable artifact reaches a developer.

[Talk to the team](/company/contact-sales)

[See how policy enforcement works](/product/software-supply-chain-security)

## The gap between scan and enforcement

Traditional tools scan packages after they enter the registry. By the time a vulnerability report is generated, the package is already available to developers. Someone has to read the report, identify which packages are affected, find every team consuming them, assess blast radius, and coordinate remediation. That process is manual, slow, and error-prone, and repeats every time a new CVE is disclosed.

Cloudsmith enforces policy before a package is consumable. Vulnerable artifacts are quarantined or blocked at ingestion. There is no report loop because the problem is stopped at the point of entry.

| Your current solution | With Cloudsmith |

| --- | --- |

| Scans run after the package is already in the registry. There is a gap between a package arriving and a vulnerability being flagged. | Policy runs at the point of ingestion. A package that violates the rules is quarantined immediately. Developers never see it.  |

| Nexus IQ generates a report. An engineer reads it, works out which packages are affected, identifies every consuming team, and coordinates remediation manually. This happens every time a new CVE lands. | Cloudsmith quarantines the package automatically. Security teams review the quarantine queue and decide to release or permanently block. The workflow is defined by policy, not improvised per incident. |

| Tracing blast radius is a manual process. Application teams are left investigate this themselves, inconsistently, every time. | Cloudsmith gives you a dependency graph across every package in every repository. When a CVE is disclosed, you know immediately which packages are affected and which teams have pulled them. |

| Nexus handles packages. Artifactory handles Docker. Two platforms, two access models, two sets of policies to maintain, two audit trails to reconcile. Consistent enforcement across both is a manual effort. | One platform handles packages, Docker images, and every other format your teams produce and consume. Policy is defined once and applied consistently across all of them. One audit trail, one access model, one set of controls. |

## Security controls that run at ingestion

Cloudsmith's Enterprise Policy Manager uses OPA Rego to define rules as code. When a package arrives, those rules run before the package is made available to developers. A package that violates a CVSS threshold is quarantined immediately. A package with a prohibited license is blocked automatically.
Security teams define the rules once, Cloudsmith then enforces them everywhere, across every format, every repository, and every team.

- Policies written in OPA Rego: version-controlled, reviewable, and applied consistently across every repository
- Packages violating severity thresholds are quarantined automatically on arrival
- Security teams review the quarantine queue and release or block - no manual triage of ad-hoc reports
- License compliance violations are caught at ingestion

[Learn how policy enforcement works](/product/software-supply-chain-security)

## Quarantine is a hard gate

Quarantine isn't a label applied to a package that developers can still pull. It is a hard gate. A quarantined package is inaccessible by developers. It does not appear in search results and can't be resolved as a dependency. A developer pulling that package gets a resolution failure, not a silent warning.

When a CVE is newly disclosed, Cloudsmith rescans existing packages against the updated database. Packages that now violate policy are quarantined automatically and developers are told why.

- Packages matching policy violations are quarantined on arrival — inaccessible to developers until reviewed
- Security teams release or permanently block from a single queue
- Continuous rescan means newly disclosed CVEs trigger quarantine retroactively across existing packages
- Full audit log captures every quarantine event, decision, and actor
- Malware detection runs alongside CVE scanning — both at ingestion

[See quarantine and blocking in action](/product/software-supply-chain-security)

For AppSec and DevSecOps teams

## The controls your security team needs. Without the infrastructure.

Cloudsmith gives your AppSec and DevSecOps teams the controls to enforce security consistently across your software supply chain — without adding operational overhead or requiring developers to change how they work.

### Dependency graph visibility

Cloudsmith's dependency graph shows every package in every repository, what it depends on, and which teams are consuming it. When a CVE lands, you know the blast radius immediately. No manual investigation, no cross-team interviews.

### Full audit trail

Every push, pull, policy trigger, quarantine event, and configuration change is logged with full context — who, what, when, from where. Client logs and audit trails export to your SIEM or S3. Compliance and incident response have the evidence they need.

### Continuous vulnerability scanning

Cloudsmith scans against multiple vulnerability data sources, not just NVD. Continuous rescan means your repositories stay current as new CVEs are disclosed — no manual sweep required, and no reliance on a single feed with known backlog issues.

Migration

## Migration is a solved problem.

Cloudsmith's customer onboarding team runs a structured migration path that makes migrating off Nexus and Artifactory a smooth, predictable process.
 Other engineering organizations have run it in phases, without downtime, using our dedicated support team to design and manage the transition.

[Talk to our team about migration](/company/contact-sales)

### Repository structure mapping

Cloudsmith maps your existing Nexus and Artifactory repository structure format by format, with metadata preserved.

### Phased artifact transfer, no downtime

Artifacts migrate in phases. Your teams continue resolving from existing registries until each repository is cut over. No big-bang migration, no forced downtime window.

### Pipeline and credential migration

CI/CD pipelines, environment variables, and package manager configuration are updated to point to Cloudsmith endpoints. Upstream proxying means public dependencies resolve through Cloudsmith from day one.

### Dedicated onboarding support

Cloudsmith's onboarding team works with your security and platform engineers through every stage. Named contacts, agreed deadlines, and regular check-ins — not self-serve documentation.

## Customers love Cloudsmith

[Read reviews on G2](https://www.g2.com/products/cloudsmith/reviews)

## See what Cloudsmith looks like in Intact Financial's environment

Policy enforcement at ingestion. Quarantine and blocking for vulnerable packages. One platform for every format your teams use. Talk to our team and we'll show you exactly how it replaces the current reporting loop.

[Explore supply chain security](/product/software-supply-chain-security)

[Talk to the team](/company/contact-sales)
