AI moves faster than your supply chain controls can.

Most engineering security investment goes into the application layer. But the open-source dependencies your teams pull every day enter your environment before any of those controls see them. Cloudsmith governs what enters your supply chain at the point of ingestion.

See how Cloudsmith works

Why Cloudsmith

  1. Govern what enters your supply chain
    Cloudsmith sits upstream of your build pipelines, scanning and blocking threats at the point of consumption – not after the fact.
  2. One platform across every format you ship
    Support for 30+ package formats means one policy, one audit log, and one source of truth – regardless of how many languages and ecosystems your teams work in.
  3. Compliance built into your pipelines
    Automated SBOM generation, artifact signing, and full audit trails – ready for regulatory review without a separate compliance exercise.

The Cloudsmith difference

Monzo has strong pipeline security controls – scanners that catch known vulnerabilities in code and dependencies. But pipeline scanning runs after a package has already been resolved by your build tooling. Cloudsmith operates upstream of all of that, blocking at the registry level before a dependency ever reaches your pipelines.
Your current positionOpen-source dependencies enter your 1,600+ microservices before your scanning tools see them.
With CloudsmithCloudsmith scans and blocks at the point of ingestion – before a package reaches your Kubernetes clusters or your pipelines.
Your current positionSecurity policy is applied inconsistently across Go, Python, JavaScript, Rust, Kotlin, Docker, Helm, and Terraform.
With CloudsmithOne policy, defined centrally, applies across every format and every team – backend, mobile, data, and infrastructure.
Your current positionNo automated SBOM generation to satisfy the audit and provenance requirements of FCA and PRA oversight.
With CloudsmithCloudsmith generates SBOMs and maintains the audit trails your compliance programme requires – built into pipelines, not bolted on after a regulatory review.
Your current positionAI-assisted development pulls dependencies into your supply chain before any governance control sees them.
With CloudsmithEvery AI-recommended package passes through the same policy controls as any other artifact entering your environment.

You've secured the perimeter. The supply chain is a different problem.

Modern software development runs on open source. Developers pull packages from public registries dozens of times a day, and AI coding tools accelerate that further – recommending dependencies, generating code that imports them, and compressing the time between "find a package" and "ship it to production". The problem is that every one of those packages enters your environment before your existing security controls see it. Pipeline scanners, code review, and application-layer controls are all downstream of the moment of ingestion. Cloudsmith operates upstream of all of them.
  • Block malicious packages before they reach your microservices or your GCP infrastructure
  • Protect against targeted attacks on Go, Python, and JavaScript ecosystems
  • Enforce a single policy across every format your teams ship in
  • Apply the same governance to AI-recommended dependencies as any other artifact
Further reading

The threat is not theoretical

Recent supply chain attacks show exactly how attackers exploit the gap between dependency consumption and security scanning – including campaigns that specifically target fintech and technology companies.
Cooldown policies

Packages your teams depend on, under active attack

Modern development moves fast. Packages are published continuously, and attackers exploit the window between publication and detection. Cloudsmith's cooldown policies hold newly published package versions in quarantine for a configurable period before they can reach any build system – structurally eliminating an entire class of attack that pipeline scanning cannot stop.

Axios – 100 million weekly downloads, March 2026

A North Korean state actor compromised the Axios npm account and published two malicious versions carrying a phantom dependency created less than 24 hours earlier. The malicious versions were live for roughly 3 hours – enough to compromise any pipeline running a fresh install. A cooldown policy would have blocked the phantom dependency at ingestion before it reached a single build.

Shai-Hulud / Mini Shai-Hulud – self-replicating npm worm, 2025–2026

An ongoing self-replicating npm worm steals maintainer credentials and publishes malicious versions of every package that maintainer controls – with valid provenance attestations, meaning integrity checks pass. Teams with cooldown policies active were not exposed. Teams relying on pipeline scanning alone were.
Why Monzo's engineering organisation needs Cloudsmith

Scale, formats, and regulation make this a hard problem

A polyglot microservices architecture at Monzo's scale, under full banking regulation, creates a supply chain governance problem that generic DevOps tooling wasn't designed for. Each language ecosystem is a separate attack surface. Each one needs consistent policy. And every artifact that passes through your environment needs to be traceable for compliance. Cloudsmith was built for exactly this combination.

Polyglot at scale

Go dominates your backend, but your full estate spans a dozen languages and runtimes. Each one is a separate attack surface, with its own upstream registries and its own risk profile. Cloudsmith governs all of them from one platform – one policy, applied consistently, regardless of format.

Full banking regulation

Supply chain provenance, SBOM generation, and audit trails are no longer optional – they belong in your SDLC. Cloudsmith builds that evidence chain into every pipeline automatically, so it's ready for regulatory review without a separate compliance exercise.

Multi-cloud, Kubernetes-native

Cloudsmith integrates natively with your AWS and GCP environments, your Kubernetes workflows, and your existing container and Helm pipelines. Consistent policy across both platforms, with no additional DR configuration required.

Every format. One policy. Zero exceptions.

Go, Python, JavaScript, TypeScript, Rust, Kotlin, Java, Scala, Erlang, Swift, Objective-C, Docker, Kubernetes, Terraform. Each ecosystem is its own attack surface with its own registries and its own risk profile. Cloudsmith gives you a single governed layer across all of them – one policy, one audit log, one source of truth.

Go modules and Python packages

Cloudsmith proxies Go module downloads and PyPI consumption through a governed layer – scanning for malware and CVEs before any package reaches your build system.

npm, Docker, and Helm

JavaScript and TypeScript dependencies, container base images, and Helm charts all governed under the same policy. One set of rules across your frontend, backend, and Kubernetes infrastructure.

JVM and mobile ecosystems

Maven and Gradle for your Kotlin and Java services, CocoaPods and Swift Package Manager for iOS – all covered. Cloudsmith supports 30+ package formats with native tooling support.

Terraform providers and modules

Infrastructure-as-code is part of your supply chain too. Cloudsmith governs Terraform module consumption alongside your application dependencies – consistent policy from code to cloud.

Regulation is tightening. Supply chain controls need to keep pace.

The regulatory environment is tightening - new requirements arrive regularly and compliance infrastructure has to scale alongside the business. That obligation extends into the SDLC. Supply chain provenance, software composition visibility, and policy enforcement are increasingly part of what regulators expect. Cloudsmith gives your compliance and governance teams what they need: SBOM generation, policy enforcement with audit trails, and full package provenance tracking – built into your pipelines from day one.
  • Automated SBOM generation for every artifact in your supply chain
  • Vulnerability policy enforcement with full audit trails for FCA and PRA oversight
  • Package signing and provenance tracking across all 30+ supported formats
  • Evidence chain ready for compliance review – no separate tooling required
The most important capability for us is the ability to quarantine and block vulnerable artifacts. Ease of access to vulnerability information - and the ability to act on it - has been the biggest change for us.

Rich Dammkoehler

VP Architecture & Governance @ ConstructConnect

Before

ConstructConnect's InfoSec team demanded stronger supply chain security controls – but their tooling couldn't deliver. Vulnerability scanning existed, but enforcing policy compliance across a fragmented artifact estate was manual and inconsistent. Development teams spent time on pipeline workarounds instead of shipping features. With over 100 engineers working across npm, Helm, Maven, Python, NuGet, and Docker, the lack of centralized governance created real risk – and real overhead.

With Cloudsmith

ConstructConnect deployed Cloudsmith's Enterprise Policy Manager to automate quarantine and blocking of non-compliant and vulnerable packages. Vulnerability scanning, license scanning, package signing, and SBOM generation became part of every pipeline – not a separate compliance exercise. Only artifacts that pass scanning reach development teams. Multi-format repositories replaced a fragmented estate of individual repositories, cutting management overhead across the team.

Results
  • Governance scores improved quarter on quarter
  • Near-zero high and critical vulnerabilities across the supply chain
  • InfoSec team gained the visibility to act on vulnerabilities, not just identify them
  • Developers moved from managing pipeline workarounds to delivering features
  • Every artifact reaching production is verified and compliant
G2 logo
Customers love Cloudsmith
Momentum leaderBest resultsHigh performerMost implementableBest usability
Ready to see Cloudsmith in action?
Talk to our team about closing the supply chain governance gap across Monzo's polyglot engineering estate – from Go and Python to Docker, Kubernetes, and Terraform.