Software supply chain security for an institution that manages global risk
Swiss Re has invested in a serious DevSecOps function. Cloudsmith is where that posture gets enforced at the artifact layer – security rules defined once, applied to every package, container image, and ML model before it reaches any build.
What Cloudsmith gives Swiss Re
- Policy-as-code at the artifact boundaryIn Swiss Re's large engineering organization, security decisions can't rely on individuals remembering to follow policy. Cloudsmith enforces your rules automatically – every artifact evaluated, every time, before it reaches a developer or pipeline.
- Azure-native access controlAccess management runs off the Microsoft Entra ID you already have. When engineers join or leave, access follows automatically. Pipelines authenticate without long-lived credentials.
- Full audit trail for regulated environmentsEvery push, pull, and policy event is logged with full context. Long-term artifact retention and European region support address Swiss regulatory requirements directly.
Open source packages are third-party risk. Govern them at the source.
Swiss Re's Cloud Center of Excellence has a stated goal: shift to a full engineering and DevSecOps mindset. That work is underway. Azure DevOps pipelines are running, Azure AD handles identity, and Maven manages builds.
Even a mature DevSecOps function can have a gap at the artifact layer. Developers across a large, distributed organization are pulling open source packages, container images, and ML models from public registries every day. Each one is a third-party input. Each one carries supply chain risk.
Cloudsmith puts a policy-enforced control plane in front of that flow. Security defines the rules – vulnerability thresholds, license restrictions, quarantine periods – and Cloudsmith applies them automatically to every artifact, before it reaches any developer or pipeline. No manual review at scale. No reliance on individual developer choices.
What changes when security has a single control point for every artifact
Open source packages, container images, and ML models are third-party inputs, the same category of risk Swiss Re's Third Party Cyber Risk function manages elsewhere. Cloudsmith brings that same governance to the artifact layer, automatically.
Before CloudsmithDevelopers pull from PyPI, Docker Hub, and other public registries directly. Security has no log of what came in, from where, or which team pulled it. When an incident occurs, the investigation starts from scratch.
With CloudsmithEvery artifact pull routes through Cloudsmith. Security sees every request: package name, version, user, timestamp, source registry. The audit trail is complete before anyone asks for it, and before any incident requires it.
Before CloudsmithPolicy exists in documentation and in CI configs scattered across teams. Whether it gets applied depends on individual developer choices. Consistent enforcement is impossible without a central control point.
With CloudsmithSecurity defines OPA Rego policies once, defining vulnerability thresholds, approved license types, quarantine rules. Cloudsmith applies them automatically to every artifact across every team and repository. Thousands of daily security decisions happen without manual review.
Before CloudsmithVulnerability scanning happens in CI, if it runs at all. A compromised or vulnerable package can reach a build environment before any check fires. Remediation then requires identifying which builds consumed it, across which teams, in which environments.
With CloudsmithCloudsmith scans every artifact on ingestion against OSV, Trivy, and other vulnerability databases. When new CVEs are disclosed, Cloudsmith re-scans existing artifacts automatically. A vulnerable package gets flagged – or quarantined by policy – before it reaches any build.
Before CloudsmithML models pulled from Hugging Face sit outside the standard artifact management perimeter. They carry the same supply chain risks as any other third-party dependency – provenance gaps, license uncertainty, potential tampering – but are governed by different, often weaker, controls.
With CloudsmithCloudsmith applies the same security controls to Hugging Face models that it applies to PyPI packages and Maven artifacts. One platform, one policy framework, one audit trail.
Before CloudsmithRegulated financial institutions need long-term artifact retention, immutable audit trails, and documented data residency. Assembling this evidence across fragmented registries takes time, and gaps create audit findings.
With CloudsmithCloudsmith provides long-term artifact retention, full audit logs that export to S3 or Azure, and European region storage for Swiss regulatory requirements. The compliance evidence is there before any audit requires it.
How Cloudsmith works for Swiss Re
Policy enforcement, Azure-native access, and compliance-ready logging.
Cloudsmith supports Maven, PyPI, Docker, Helm, and 30+ additional formats from a single platform. One control plane for every artifact format Swiss Re's teams use – including ML models.
Private registries for Maven, PyPI, Docker, Helm, and more
Teams point at Cloudsmith instead of public registries. Their tooling – Maven, Docker, Helm – works exactly as before. Every request routes through a registry where security sets and enforces the rules.
Upstream proxying and caching
Cloudsmith proxies upstream registries on your behalf, caching artifacts locally. Developers get fast resolution. Security gets a single point where policy applies to every upstream dependency, not just internally published artifacts.
Policy-as-code with OPA Rego
Define vulnerability thresholds, license restrictions, quarantine rules, and retention timelines using OPA Rego. Policies are version-controlled and applied consistently across every team and repository in the organization.
Azure AD via OIDC and SCIM
Pipelines authenticate via OIDC with short-lived tokens – no long-lived API keys in CI/CD. User lifecycle management runs through Microsoft Entra ID via SCIM: access provisioned when engineers join, revoked automatically when they leave.
ML model management alongside standard packages
Cloudsmith manages Hugging Face model artifacts alongside standard packages. The same vulnerability scanning, policy enforcement, and audit logging that applies to PyPI packages applies to ML models.
Audit trail, retention, and data residency
Cloudsmith provides a complete log of every policy event, push and pull, alongside all the context required to investigate incidents. Long-term retention and European region options are available to meet Swiss regulatory requirements. Logs export to Azure for SIEM integration.
Trusted by engineering and security teams at Fortune 500 companies.