The artifact layer is where software trust happens

Cloudsmith is the enforcement layer at the point packages enter Monzo's environment. Policy-as-code on ingestion, continuous re-evaluation as threat signals change

See how Cloudsmith works

Why this matters now

  1. Dependency surface area is outpacing governance
    Monzo's rapid growth increases the size of the attack surface and the governance problem. A centralized, standardized control layer can make this manageable.
  2. AI-assisted development introduces new risks
    AI coding tools pull packages no human chose. Hallucinated names, transitive imports from generated code, and higher pull velocity require enforcement at ingestion.
  3. A complex and changing legal environment
    Prepare for the CRA, and ensure DORA and UK regulation compliance with automated SBOM generation, artifact signing, and full audit trails.

Closing the enforcement gap

Monzo's pipeline security controls catch known vulnerabilities in code and dependencies. But those controls run after your build tooling has already resolved a package ; after it's in the environment. Cloudsmith operates upstream of that point, enforcing policy at the registry before a dependency reaches any pipeline or cluster.
Your current positionOpen-source dependencies enter your 1,600+ microservices before your scanning tools see them.
With CloudsmithCloudsmith scans and blocks at the point of ingestion based on rules you set – before a package reaches your Kubernetes clusters or your pipelines.
Your current positionSecurity policy is applied inconsistently across Go, Python, JavaScript, Rust, Kotlin, Docker, Helm, and Terraform.
With CloudsmithOne policy, defined centrally, applies across every format and every team – backend, mobile, data, and infrastructure.
Your current positionAI-assisted development pulls dependencies into your supply chain before any governance control sees them.
With CloudsmithEvery AI-recommended package passes through the same policy controls as any other artifact entering your environment.

You've secured the perimeter. The supply chain is a different problem.

Modern software development runs on open source. Developers pull packages from public registries dozens of times a day, and AI coding tools accelerate that further – recommending dependencies, generating code that imports them, and compressing the time between "find a package" and "ship it to production". The problem is that every one of those packages enters your environment before your existing security controls see it. Pipeline scanners, code review, and application-layer controls are all downstream of the moment of ingestion. Cloudsmith operates upstream of all of them.
  • Block malicious packages before they reach your microservices or your GCP infrastructure
  • Protect against targeted attacks on Go, Python, and JavaScript ecosystems
  • Enforce a single policy across every format your teams ship in
  • Apply the same governance to AI-recommended dependencies as any other artifact
Cooldown policies

Packages your teams depend on, under active attack

Modern development moves fast. Packages are published continuously, and attackers exploit the window between publication and detection. Cloudsmith's cooldown policies hold newly published package versions in quarantine for a configurable period before they can reach any build system – structurally eliminating an entire class of attack that pipeline scanning cannot stop.

Axios – 100 million weekly downloads, March 2026

A North Korean state actor compromised the Axios npm account and published two malicious versions carrying a phantom dependency created less than 24 hours earlier. The malicious versions were live for roughly 3 hours – enough to compromise any pipeline running a fresh install. A cooldown policy would have blocked the phantom dependency at ingestion before it reached a single build.

Shai-Hulud / Mini Shai-Hulud – self-replicating npm worm, 2025–2026

An ongoing self-replicating npm worm steals maintainer credentials and publishes malicious versions of every package that maintainer controls – with valid provenance attestations, meaning integrity checks pass. Teams with cooldown policies active were not exposed. Teams relying on pipeline scanning alone were.
Why Monzo's engineering organisation needs Cloudsmith

Every ecosystem is a separate attack surface. Manage them all with one policy.

A polyglot microservices architecture at Monzo's scale, under full banking regulation, creates a supply chain governance problem that generic DevOps tooling wasn't designed for. Each language ecosystem is a separate attack surface. Each one needs consistent policy. And every artifact that passes through your environment needs to be traceable for compliance. Cloudsmith was built for exactly this combination.

Polyglot at scale

Go dominates your backend, but your full estate spans a dozen languages and runtimes. Each one is a separate attack surface, with its own upstream registries and its own risk profile. Cloudsmith governs all of them from one platform – one policy, applied consistently, regardless of format.

Full banking regulation

Supply chain provenance, SBOM generation, and audit trails are no longer optional – they belong in your SDLC. Cloudsmith builds that evidence chain into every pipeline automatically, so it's ready for regulatory review without a separate compliance exercise.

Multi-cloud, Kubernetes-native

Cloudsmith integrates natively with your AWS and GCP environments, your Kubernetes workflows, and your existing container and Helm pipelines. Consistent policy across both platforms, with no additional DR configuration required.

30+ formats. One policy. Zero exceptions.

Go, Python, JavaScript, TypeScript, Rust, Kotlin, Java, Scala, Erlang, Swift, Objective-C, Docker, Kubernetes, Terraform. Each ecosystem is its own attack surface with its own registries and its own risk profile. Cloudsmith gives you a single governed layer across all of them – one policy, one audit log, one source of truth.

Go modules and Python packages

Cloudsmith proxies Go module downloads and PyPI consumption through a governed layer – scanning for malware and CVEs before any package reaches your build system.

npm, Docker, and Helm

JavaScript and TypeScript dependencies, container base images, and Helm charts all governed under the same policy. One set of rules across your frontend, backend, and Kubernetes infrastructure.

JVM and mobile ecosystems

Maven and Gradle for your Kotlin and Java services, CocoaPods and Swift Package Manager for iOS – all covered. Cloudsmith supports 30+ package formats with native tooling support.

Terraform providers and modules

Infrastructure-as-code is part of your supply chain too. Cloudsmith governs Terraform module consumption alongside your application dependencies – consistent policy from code to cloud.

Regulation is tightening. Supply chain controls need to keep pace.

The regulatory environment is tightening - new requirements arrive regularly and compliance infrastructure has to scale alongside the business. That obligation extends into the SDLC. Supply chain provenance, software composition visibility, and policy enforcement are increasingly part of what regulators expect. Cloudsmith gives your compliance and governance teams what they need: SBOM generation, policy enforcement with audit trails, and full package provenance tracking – built into your pipelines from day one.
  • Automated SBOM generation for every artifact in your supply chain
  • Vulnerability policy enforcement with full audit trails for FCA and PRA oversight
  • Package signing and provenance tracking across all 30+ supported formats
  • Evidence chain ready for compliance review – no separate tooling required
Out of all of the vendors we talked to, Cloudsmith was the one that seemed to want to work with us the most. Right away they were saying, ‘Here are all the things we want to do for you. Here are the things we can build…’ That won us over. And everything that’s happened since then has only confirmed that initial impression.

Dave Bresci

Senior Manager of Site Reliability Engineering @ PagerDuty

Before

PagerDuty's previous artifact management service was suffering from recurring downtime, which disrupted their CI/CD pipeline, causing build failures, and ultimately jeopardizing their ability to reliably roll out product releases, updates, and fixes on schedule.

With Cloudsmith

PagerDuty’s engineering teams now enjoy high levels of operational resilience, support, incident prevention, and incident management. Cloudsmith's robust uptime rates mean that production disruptions are a thing of the past, enabling PagerDuty to deliver on their ambitions for their product and their promise to customers.

Results
  • No platform-impacting downtime
  • Robust, self-service support for the PagerDuty team
  • Developers experience consistent, low-latency access to artifacts
  • Private, centralized repositories for better observability
G2 logo
Customers love Cloudsmith
Momentum leaderLeaderHighest user adoption

Ready to see Cloudsmith in action?

Talk to our team about closing the supply chain governance gap across Monzo's polyglot engineering estate – from Go and Python to Docker, Kubernetes, and Terraform.