---
title: "Artifact security for DevSecOps at scale | Cloudsmith for Swiss Re"
description: "Swiss Re has built a serious DevSecOps function. Cloudsmith is where that security posture gets enforced in practice – automated policy on every artifact, every time, across Azure-native pipelines."
canonical_url: "https://cloudsmith.com/loves/swiss-re"
last_updated: "2026-06-23T11:13:49Z"
---
# Artifact security for DevSecOps at scale | Cloudsmith for Swiss Re

Cloudsmith for Swiss Re

## Software supply chain security for an institution that manages global risk

Swiss Re has invested in a serious DevSecOps function. Cloudsmith is where that posture gets enforced at the artifact layer – security rules defined once, applied to every package, container image, and ML model before it reaches any build.

[Book a 20-minute call](/book-a-demo)

[See how it works](/product/software-supply-chain-security)

## Open source packages are third-party risk. Govern them at the source.

Swiss Re's Cloud Center of Excellence has a stated goal: shift to a full engineering and DevSecOps mindset. That work is underway. Azure DevOps pipelines are running, Azure AD handles identity, and Maven manages builds.

Even a mature DevSecOps function can have a gap at the artifact layer. Developers across a large, distributed organization are pulling open source packages, container images, and ML models from public registries every day. Each one is a third-party input. Each one carries supply chain risk.

Cloudsmith puts a policy-enforced control plane in front of that flow. Security defines the rules – vulnerability thresholds, license restrictions, quarantine periods – and Cloudsmith applies them automatically to every artifact, before it reaches any developer or pipeline. No manual review at scale. No reliance on individual developer choices.

## What changes when security has a single control point for every artifact

Open source packages, container images, and ML models are third-party inputs, the same category of risk Swiss Re's Third Party Cyber Risk function manages elsewhere. Cloudsmith brings that same governance to the artifact layer, automatically.

| Before Cloudsmith | With Cloudsmith |

| --- | --- |

| Developers pull from PyPI, Docker Hub, and other public registries directly. Security has no log of what came in, from where, or which team pulled it. When an incident occurs, the investigation starts from scratch. | Every artifact pull routes through Cloudsmith. Security sees every request: package name, version, user, timestamp, source registry. The audit trail is complete before anyone asks for it, and before any incident requires it. |

| Policy exists in documentation and in CI configs scattered across teams. Whether it gets applied depends on individual developer choices. Consistent enforcement is impossible without a central control point. | Security defines OPA Rego policies once, defining vulnerability thresholds, approved license types, quarantine rules. Cloudsmith applies them automatically to every artifact across every team and repository. Thousands of daily security decisions happen without manual review. |

| Vulnerability scanning happens in CI, if it runs at all. A compromised or vulnerable package can reach a build environment before any check fires. Remediation then requires identifying which builds consumed it, across which teams, in which environments. | Cloudsmith scans every artifact on ingestion against OSV, Trivy, and other vulnerability databases. When new CVEs are disclosed, Cloudsmith re-scans existing artifacts automatically. A vulnerable package gets flagged – or quarantined by policy – before it reaches any build. |

| ML models pulled from Hugging Face sit outside the standard artifact management perimeter. They carry the same supply chain risks as any other third-party dependency – provenance gaps, license uncertainty, potential tampering – but are governed by different, often weaker, controls. | Cloudsmith applies the same security controls to Hugging Face models that it applies to PyPI packages and Maven artifacts. One platform, one policy framework, one audit trail. |

| Regulated financial institutions need long-term artifact retention, immutable audit trails, and documented data residency. Assembling this evidence across fragmented registries takes time, and gaps create audit findings. | Cloudsmith provides long-term artifact retention, full audit logs that export to S3 or Azure, and European region storage for Swiss regulatory requirements. The compliance evidence is there before any audit requires it. |

How Cloudsmith works for Swiss Re

## Policy enforcement, Azure-native access, and compliance-ready logging.

Cloudsmith supports Maven, PyPI, Docker, Helm, and 30+ additional formats from a single platform. One control plane for every artifact format Swiss Re's teams use – including ML models.

### Private registries for Maven, PyPI, Docker, Helm, and more

Teams point at Cloudsmith instead of public registries. Their tooling – Maven, Docker, Helm – works exactly as before. Every request routes through a registry where security sets and enforces the rules.

### Upstream proxying and caching

Cloudsmith proxies upstream registries on your behalf, caching artifacts locally. Developers get fast resolution. Security gets a single point where policy applies to every upstream dependency, not just internally published artifacts.

### Policy-as-code with OPA Rego

Define vulnerability thresholds, license restrictions, quarantine rules, and retention timelines using OPA Rego. Policies are version-controlled and applied consistently across every team and repository in the organization.

### Azure AD via OIDC and SCIM

Pipelines authenticate via OIDC with short-lived tokens – no long-lived API keys in CI/CD. User lifecycle management runs through Microsoft Entra ID via SCIM: access provisioned when engineers join, revoked automatically when they leave.

### ML model management alongside standard packages

Cloudsmith manages Hugging Face model artifacts alongside standard packages. The same vulnerability scanning, policy enforcement, and audit logging that applies to PyPI packages applies to ML models.

### Audit trail, retention, and data residency

Cloudsmith provides a complete log of every policy event, push and pull, alongside all the context required to investigate incidents. Long-term retention and European region options are available to meet Swiss regulatory requirements. Logs export to Azure for SIEM integration.

## Fortune 500 financial services organizations trust Cloudsmith

[Read the Thrivent case study](/customers/cloudsmith-and-thrivent)

[Cloudsmith for financial services](/solutions/fintech-banking-financial-services)

## Trusted by engineering and security teams at Fortune 500 companies.

[Read reviews on G2](https://www.g2.com/products/cloudsmith/reviews)

[Cloudsmith trust center](https://trust.cloudsmith.com)

## See Cloudsmith running in a Swiss Re scale environment

Swiss Re's engineering teams already run Maven, Docker, and Azure DevOps. Cloudsmith fits that stack. Book a demo – we'll show you how it works with your actual pipelines, not a generic demo environment.

[Book a demo](/book-a-demo)

[Switching from JFrog Artifactory](/switch/jfrog-artifactory)
