Cloudsmith + The Hartford

Govern artifacts when they enter the pipeline. Not after.

The Hartford has a strong security posture, but there's a potential gap in where artifact controls actually sit. When scanning happens after storage, malicious packages have a chance to deploy before they can be identified. Cloudsmith moves governance to ingestion, preventing attacks before they start.

What changes when governance moves upstream

Self-hosted Nexus was a reasonable choice when the engineering organization was smaller and less distributed. At The Hartford's scale, with cloud migration underway, distributed teams, and a regulatory environment that demands consistent, auditable artifact controls, the structural limits of that architecture become operational problems. The friction isn't configuration, it's what self-hosted artifact management does when your security and compliance requirements outgrow it.
On-prem artifact management todayScanning runs after artifacts are stored. A package clears ingestion, lands in the registry, and gets scanned. If it's malicious, it's already inside.
With CloudsmithCloudsmith scans every artifact on push. Nothing enters the registry that hasn't passed your policy. Scan results are re-evaluated continuously as new CVE data is published, not just at the moment of upload.
On-prem artifact management todayPolicy is applied inconsistently across teams and repositories. Enforcement depends on individual configuration, not a shared control plane. Audit trails are incomplete.
With CloudsmithPolicy rules are written in OPA Rego, version-controlled, and applied uniformly across every repository and format. Violations are quarantined automatically. Every artifact event, push, pull, policy trigger, and configuration change, is logged with full context and available for export.
On-prem artifact management todayRegistry uptime depends on your team. Upgrades carry risk. Disk fills. VMs go down. The platform team carries operational overhead for infrastructure that isn't their core job.
With CloudsmithCloudsmith is fully managed SaaS. When something goes wrong, our team responds. Your engineers don't carry on-call responsibility for a registry. Upgrades happen without maintenance windows or pipeline disruption.
On-prem artifact management todayDistributed teams get inconsistent performance from a single on-prem origin. Engineers in different regions pull from the same instance, with latency determined by geography.
With CloudsmithArtifacts are served from nodes close to the requesting engineer. Cloudsmith's 600+ global edge points of presence mean consistent build performance for distributed teams, without replication jobs for your platform team to manage.

Security controls at ingestion

The standard approach to artifact security scans after storage. By the time a result surfaces, the artifact is already in the registry and potentially already consumed by a pipeline. Cloudsmith operates differently. Every artifact is scanned the moment it enters your software supply chain, before it becomes available to any consumer. For an organization with NIST SSDF alignment requirements and a mature secure SDLC practice, that distinction matters. Controls applied at ingestion are preventative, stopping attacks before they start. Controls applied after storage are detective, at best. The difference is not academic when an open-source dependency with a known vulnerability enters your pipeline.
  • Scans every artifact on push, before it's available to pipelines
  • Continuous re-scanning against updated CVE databases, not just at upload time
  • Software composition analysis and malware detection built in, no additional tooling required
  • SBOM generation across formats gives your security team a live dependency inventory
AI-assisted development

Your engineers use AI coding tools. That changes your supply chain risk.

AI coding agents produce code faster than any team can review line by line. The dependencies they introduce don't come from a human making a considered choice - they come from a probabilistic model that can hallucinate package names, pull from unverified upstreams, and generate artifacts at a volume that overwhelms manual review. For an organization with NIST SSDF alignment requirements and open-source risk management obligations, that's not a hypothetical concern. Cloudsmith gives you the controls to let your engineers use these tools at full speed, without accepting unknown risk into your supply chain.
    Protection against AI-hallucinated package names
    AI coding tools occasionally suggest package names that don't exist. Attackers register those names on public registries and weaponize them with malicious payloads - a vector known as slopsquatting. Cloudsmith's upstream proxying, combined with SCA and malware detection at ingestion, means packages from public registries are evaluated against your policy before they reach any pipeline. Hallucinated or malicious packages don't pass.
    Policy enforcement that scales with AI output volume
    Manual review doesn't scale when AI agents are committing code continuously. Cloudsmith's OPA Rego-based policy engine enforces your security and license compliance rules automatically, on every artifact, regardless of volume. The governance your security architecture team has defined applies whether a pipeline runs ten builds a day or ten thousand.
    Provenance and integrity for every artifact
    AI-generated code introduces new questions about trust: where did this come from, has it been modified, and can you prove it? Cloudsmith's package signing, SBOM generation, and continuous vulnerability re-scanning give your security team a live, auditable inventory of every dependency in your pipelines. Cloudsmith builds a complete audit trail with verifiable integrity by tracking the provenance of every artifact.

High availability without a maintenance plan.

Self-hosted Nexus goes down when the underlying infrastructure does. Upgrade windows carry risk. Disk fills up. The platform team carries operational burden for a system that's not their primary responsibility. Cloudsmith is a managed service. Multi-region redundancy means there's no single point of failure. Upgrades happen without maintenance windows or pipeline disruption. When there's an incident, our team responds, not yours. The operational overhead of running a registry moves off your engineers entirely, and they can focus on work that ships value.
  • Multi-region redundancy with no single point of failure
  • Zero-maintenance upgrades, your pipelines keep running
  • No instance health to monitor, no upgrade risk to manage
For DevSecOps and platform teams

Uniform governance across every artifact and every team

Maintaining consistent artifact policy enforcement across a large, distributed engineering organization is hard when controls are applied per-repository or per-team. Cloudsmith provides a single control plane for all artifact governance, so your DevSecOps and security architecture teams set the rules once and they apply everywhere.
    Policy as code with OPA Rego
    Security and compliance rules are written in OPA Rego, version-controlled, and enforced uniformly across every repository and format. Artifacts violating severity thresholds are quarantined automatically. License compliance issues are caught at ingestion.
    Full audit trail for compliance and incident response
    Every push, pull, policy trigger, and configuration change is logged with full context: who, what, when, from where. Client logs and audit trails can be exported to your SIEM or object storage. The traceability your compliance and incident response workflows require is there by default, not assembled after an incident occurs.
    Self-service for development teams, guardrails for security
    Cloudsmith's API, Terraform provider, and OIDC-native authentication let development teams provision repositories and manage access without raising tickets. Your platform and security teams define the guardrails. Teams move within them independently, and governance doesn't rely on manual review of every request.
Supply chain security

Supply chain security designed for regulated environments.

Cloudsmith already works with Fortune 500 insurers and is built with their regulatory requirements in mind. The controls that matter for NIST SSDF alignment, secure SDLC, and open-source risk management are built in, not added on.
    Vulnerability scanning on every artifact
    Cloudsmith scans every package at push, before it enters your registry. Scans run continuously against updated vulnerability databases, so a newly disclosed CVE surfaces across your existing artifacts automatically. You don't need to resubmit packages or run a separate scan job.
    Open-source risk management built in
    Software composition analysis and license compliance checks run at ingestion for every artifact, across all supported formats. Artifacts from open-source upstreams are evaluated against your policy before they're available to any pipeline. You set the rules once, in code. Cloudsmith enforces them consistently.
    Package signing and provenance
    Every consumer can verify the provenance and integrity of artifacts. SBOM generation across your pipelines gives your security team a live inventory of every dependency in production, updated continuously rather than captured at build time and left to drift.
Migrating from Sonatype Nexus

A robust and tested migration plan

Migrating from a familiar artifact management system can feel like a major undertaking. Cloudsmith has a structured, supported path to help customers do this, with onboarding support and named contacts every step of the way. Other teams, including those managing complex, multi-format estates during active cloud migrations, have run their migrations without downtime.
Repository structure mapping
Cloudsmith maps your existing Nexus repository structure to Cloudsmith automatically, format by format, with metadata preserved. The output is a Cloudsmith environment that mirrors your current setup.
Phased artifact transfer
Artifacts migrate in phases. Your pipelines continue pulling from Nexus until each repository is fully cut over. No big-bang migration, no downtime window, no forced go-live date.
Endpoint and credential migration
CI/CD environment variables and configuration files point to new Cloudsmith endpoints. Upstream proxying means open-source dependencies resolve through Cloudsmith from day one, with SCA and policy applied from the start.
End-to-end migration support
Cloudsmith's dedicated onboarding team works with you through every stage. You'll have named contacts, regular check-ins and agreed deadlines every step of the way.
G2 logo
Customers love Cloudsmith
Momentum leaderLeaderHighest user adoption
Cloudsmith just works - whether it’s failover, automation, or support. It’s the first platform we’ve used that feels like a true partner in how we build and operate software.

Michael Boldischar

Software Engineering Manager @ Thrivent

Before

Thrivent relied on a single, on-premise artifact server provided by their previous vendor, hosted in their data center, to manage its artifacts. This led to inconsistently delivered packages to geographically distributed teams, slowing the pace of global development. The unreliable legacy server also caused slow build times, making it difficult to maintain development velocity and reliability.

With Cloudsmith

Thrivent’s teams no longer needed to maintain databases, optimize edge nodes, or manage complex on-premise infrastructure. Cloudsmith’s high-concurrency architecture eliminated the bottlenecks that previously slowed Thrivent’s pipelines. Builds that previously stalled due to database constraints now run consistently at scale, even during peak CI/CD demand.

Results
  • Artifact-management-related incidents have decreased by 62%
  • Significantly reduced infrastructure costs and the time developers spent maintaining legacy systems
  • Developers experience consistent, low-latency access to artifacts
  • Developers focus on building value, not troubleshooting dependency conflicts

We're in Hartford, CT the week of July 22-24.

If artifact governance, cloud migration, and Nexus replacement are already on your radar, we'd love to say hello in person. We're in Hartford, CT the week of July 22-24 and would welcome meeting over coffee. No sales deck required.