Your pipelines are secured. What about everything upstream?

Cloudsmith governs what enters your cloud platform – so every dependency meets your security and compliance standards before a developer touches it.

See how Cloudsmith works

How Cloudsmith can help Mapfre

  1. Be ready for the EU Cyber Resilience Act
    Automated SBOM generation, vulnerability tracking, and full audit trails built into the platform, not bolted on at the compliance deadline.
  2. Block threats before they reach your developers
    Cloudsmith scans every upstream dependency for malware and CVEs – quarantining or blocking anything that doesn't pass before a build runs.
  3. Centralize policy across every team and geography
    Define your rules once. Cloudsmith enforces them across every team, every format, and every pipeline – no local overhead required.

The Cloudsmith difference

Your security investment is real. But every tool in your stack operates after a dependency has already entered your environment. Cloudsmith governs what enters – so the rest of your controls work on a cleaner foundation.
Your current solutionDependencies enter your environment before your scanning tools see them.
With CloudsmithCloudsmith scans and blocks at the entry point – before a build runs.
Your current solutionSecurity policy varies across teams and regions.
With CloudsmithOne policy, defined centrally, applies across every team, format, and pipeline.
Your current solutionNo automated SBOM generation ahead of the CRA reporting deadline.
With CloudsmithCloudsmith generates SBOMs and maintains the audit trails the CRA requires.
Your current solutionAI-recommended dependencies enter your supply chain unverified.
With CloudsmithEvery AI-recommended package passes through the same governance controls as any other artifact.

Don't just identify threats. Block them.

SAST scanning, dynamic testing, hard gating on CVEs – these are the right controls. But they all operate inside the pipeline. They catch problems after a dependency has already entered your environment. The gap is upstream. Every open-source package, third-party artifact, and AI-recommended dependency that enters your development environment is a potential risk – before your scanning tools ever see it. Across 2,000+ cloud accounts and 30+ countries, that adds up fast. Cloudsmith sits at the entry point. It governs what enters, enforces policy before a build runs, and gives your central architecture team control – regardless of where the consuming team is based.
  • Scan every upstream dependency for malware and CVEs before it reaches your developers
  • Quarantine or block non-compliant packages before a build runs
  • Enforce policy at the point of entry, not after the fact
  • Gives your central team control over what enters across every format and region

AI is accelerating your development. It's also accelerating your attack surface.

MAPFRE uses generative AI at scale – from AI-assisted development tooling to an internal platform serving developers across 25 countries. That introduces a category of supply chain risk most organizations haven't yet addressed. The answer isn't to slow AI adoption. Cloudsmith makes sure it doesn't come at the cost of supply chain security

Upstream dependency scanning

Cloudsmith scans every AI-recommended package for malware and CVEs before it reaches your developers.

Policy-based blocking

Packages that don't meet your standards get blocked before a build runs – regardless of how they were recommended.

Consistent governance

The same rules apply to AI-generated dependencies as any other artifact entering your supply chain.

AI tooling visibility

See what your AI development tools pull into your environment, where it comes from, and whether it meets your policy.

Five capabilities. One platform.

Cloudsmith gives your architecture team control over what enters your supply chain, how it's governed, what's in it, and how it gets to people.

Centralize policy enforcement across distributed teams

MAPFRE is moving toward centralized security services and an "insurance platform as a service" model – where the central team defines the platform and country teams consume from it. Cloudsmith's Enterprise Policy Manager is built for this model. Define your vulnerability policies, license restrictions, and compliance rules once. Cloudsmith enforces them across every team, every format, every pipeline. Update a policy once. It applies everywhere.

A dependency firewall for your supply chain

Cloudsmith proxies all upstream open-source consumption through a governed layer. It scans every package for malware and CVEs before it reaches your developers. Non-compliant, vulnerable, or suspicious artifacts get quarantined or blocked before a build runs – not flagged after the fact. As your migration accelerates and AI-assisted development scales, the attack surface grows. Cloudsmith gives your InfoSec and architecture teams a governed entry point – and control over what passes through it.

Supply chain visibility and SBOM generation

Cloudsmith gives you a view of every artifact in your supply chain: what it is, where it came from, which projects depend on it, and whether it meets your current policy standards. Cloudsmith signs artifacts and traces every dependency. It generates Software Bill of Materials (SBOM) reports – giving your compliance and governance teams the evidence chain they need for audits, regulatory submissions, and incident response.

Global distribution without the overhead

Cloudsmith replicates artifacts across regions automatically. Teams in the US, Spain, Latin America, and beyond get fast, reliable access to the packages they need – without anyone configuring infrastructure or managing availability. For an organization operating across 30+ countries, that matters. Your developers get consistent performance wherever they are. Your architecture team doesn't manage the infrastructure that delivers it.

Multi-format artifact management

Cloudsmith supports npm, Helm, Maven, Python, NuGet, Docker, and more – all within a single platform. Teams stop juggling fragmented repositories across formats and get a consistent, governed experience regardless of what they're building with. For a development organization operating across multiple languages, frameworks, and geographies, that consistency matters. One set of policies. One source of truth. Every format covered.

The CRA reporting window opens in September 2026. The migration is happening now.

The EU Cyber Resilience Act entered into force in December 2024. Reporting obligations apply from 11 September 2026 – six months away. Main compliance obligations follow in December 2027. For an organization like MAPFRE, with software development operations across the EU and a central architecture function in Spain, the CRA creates specific obligations: demonstrable software supply chain controls, SBOM generation, vulnerability disclosure processes, and evidence of security practices throughout the development lifecycle. MAPFRE is migrating to the cloud right now. The controls you put in place during this migration will serve as your compliance posture for years to come. Build artifact governance in now. Retrofitting it later costs more – in time and in risk. Cloudsmith supports CRA compliance: SBOM generation, policy enforcement with audit trails, vulnerability management with documented remediation, and package provenance tracking – all native to the platform.
  • Fully managed architecture
  • Globally-distributed content delivery
  • Highly-available
The most important capability for us is the ability to quarantine and block vulnerable artifacts. Ease of access to vulnerability information - and the ability to act on it - has been the biggest change for us. Our internal governance scores continue to improve, and Cloudsmith has been a major contributor to that. We’re a stone’s throw away from having zero high or critical vulnerabilities in our supply chain.

Rich Dammkoehler

VP Architecture & Governance @ ConstructConnect

Before

ConstructConnect's InfoSec team demanded stronger supply chain security controls – but their tooling couldn't deliver. Vulnerability scanning existed, but enforcing policy compliance across a fragmented artifact estate was manual and inconsistent. Development teams spent time on pipeline workarounds instead of shipping features. With over 100 engineers working across npm, Helm, Maven, Python, NuGet, and Docker, the lack of centralized governance created real risk – and real overhead.

With Cloudsmith

ConstructConnect deployed Cloudsmith's Enterprise Policy Manager to automate quarantine and blocking of non-compliant and vulnerable packages. Vulnerability scanning, license scanning, package signing, and SBOM generation became part of every pipeline – not a separate compliance exercise. Only artifacts that pass scanning reach development teams. Multi-format repositories replaced a fragmented estate of individual repositories, cutting management overhead across the team.

Results
  • Governance scores improved quarter on quarter
  • Near-zero high and critical vulnerabilities across the supply chain
  • InfoSec team gained the visibility to act on vulnerabilities, not just identify them
  • Developers moved from managing pipeline workarounds to delivering features
  • Every artifact reaching production is verified and compliant
G2 logo
Customers love Cloudsmith
Momentum leaderBest resultsHigh performerMost implementableBest usability