Your pipelines move fast. Your audit trail has to keep up.

Life sciences engineering runs on open source. Every container image, every Python package, every Helm chart your teams pull enters your environment before your scanners see it. Cloudsmith governs what enters your supply chain at the point of ingestion – and produces the provenance record your ISO 27001 audits and FDA oversight require.

See how Cloudsmith works

Why Cloudsmith

  1. Block threats before they reach your EKS clusters
    Cloudsmith sits upstream of your Docker, Kubernetes, and Helm pipelines – scanning and blocking at the point of consumption, not after the fact.
  2. One governed layer across every format you ship
    Helm, Docker, Python, npm, Rust, NuGet – one policy, one audit log, and one source of truth across your entire polyglot stack.
  3. Audit-ready compliance built into your pipelines
    Automated SBOM generation, artifact signing, and full audit trails – ready for ISO 27001 re-certification and FDA review without a separate compliance exercise.

The Cloudsmith difference

Twist Bioscience operates mature security controls – ISO 27001-certified, annual pen testing, continuous vulnerability scanning. But those controls operate at the application and infrastructure layer. Open-source dependencies enter your ECS and EKS workloads before any of those controls see them. Cloudsmith operates upstream of all of it, blocking at the registry before a package ever reaches a build system or a container runtime.
Your current positionOpen-source dependencies enter your Docker and EKS workloads before your vulnerability scanners see them.
With CloudsmithCloudsmith scans and blocks at the point of ingestion – before a package reaches any container runtime or any pipeline.
Your current positionSecurity policy is applied inconsistently across Python, TypeScript, Rust, C#, Docker, Helm, and Terraform – each ecosystem governed differently, or not at all.
With CloudsmithOne policy, defined centrally, applies across every format and every team – from lab software engineers to platform infrastructure.
Your current positionNo automated SBOM generation to satisfy the audit and provenance requirements of ISO 27001 re-certification, FDA oversight, or biosecurity compliance.
With CloudsmithCloudsmith generates SBOMs and maintains the artifact provenance trails your compliance programme requires – built into pipelines, not assembled manually before an audit.
Your current positionAI-assisted development pulls open-source dependencies into your supply chain faster than any governance review can track.
With CloudsmithEvery AI-recommended package passes through the same policy controls as any other artifact entering your environment – no exceptions.

You've secured the perimeter. The supply chain is a different problem.

A serious security posture is not the same as a secure supply chain. Every Python package, every container base image, every Helm chart your engineers pull enters your environment before any existing control sees it. Pipeline scanners catch known vulnerabilities after a dependency has already been resolved. Application-layer controls operate on code that already shipped. Cloudsmith sits at the point of ingestion – the moment a package is requested from a public registry – and enforces policy before it ever reaches a build system, a container runtime, or a cluster.
  • Block malicious packages before they reach your ECS or EKS workloads
  • Protect against targeted attacks on Python, npm, and Rust ecosystems
  • Enforce a single policy across every format your engineers ship in
  • Apply the same governance to AI-recommended dependencies as any other artifact
Further reading

The threat is not theoretical

Recent supply chain attacks show exactly how attackers exploit the gap between dependency consumption and security scanning – including campaigns that specifically target Python, npm, and container ecosystems used in biotech and life sciences engineering.
Cooldown policies

Packages your teams depend on, under active attack

Modern development moves fast. Packages are published continuously, and attackers exploit the window between publication and detection. Cloudsmith's cooldown policies hold newly published package versions in quarantine for a configurable period before they can reach any build system or container runtime – structurally eliminating an entire class of attack that pipeline scanning cannot stop.

Axios – 100 million weekly downloads, March 2026

A North Korean state actor compromised the Axios npm account and published two malicious versions carrying a phantom dependency created less than 24 hours earlier. The malicious versions were live for roughly 3 hours – enough to compromise any pipeline running a fresh install. A cooldown policy would have blocked the phantom dependency at ingestion before it reached a single build.

Shai-Hulud / Mini Shai-Hulud – self-replicating npm worm, 2025–2026

An ongoing self-replicating npm worm steals maintainer credentials and publishes malicious versions of every package that maintainer controls – with valid provenance attestations, meaning integrity checks pass. Teams with cooldown policies active were not exposed. Teams relying on pipeline scanning alone were.
Why Twist Bioscience's engineering organisation needs Cloudsmith

Life sciences, polyglot pipelines, and a serious compliance obligation

A microservices architecture running across Amazon ECS and EKS, under ISO 27001 annual re-certification and FDA biosecurity oversight, creates a supply chain governance problem that generic DevOps tooling wasn't designed for. Each language ecosystem is a separate attack surface. Each one needs consistent policy. And every artifact that passes through your environment needs to be traceable for compliance and for audit. Cloudsmith was built for exactly this combination.

Polyglot at scale

Python dominates your lab and data pipelines, but your full stack spans TypeScript, Rust, C#, and more – each with its own upstream registries and its own risk profile. Cloudsmith governs all of them from one platform. One policy, applied consistently, regardless of format.

ISO 27001 and FDA oversight

Supply chain provenance, SBOM generation, and audit trails belong in your SDLC – not assembled manually before an annual re-certification or a regulatory review. Cloudsmith builds that evidence chain into every pipeline automatically.

AWS-native, Kubernetes first

Cloudsmith integrates natively with your Amazon ECS and EKS environments, your Helm chart workflows, and your existing container pipelines. Helm charts are a native Cloudsmith format – consistent policy from code to cluster, with no additional configuration required.

Every format. One policy. Zero exceptions.

Python, TypeScript, JavaScript, Rust, C#, Docker, Helm, and Terraform. Each ecosystem is its own attack surface with its own registries and its own risk profile. Cloudsmith gives you a single governed layer across all of them – one policy, one audit log, one source of truth.

Python and Rust

Cloudsmith proxies PyPI and crates.io consumption through a governed layer – scanning for malware and CVEs before any package reaches your lab software or backend services.

npm and Docker

JavaScript and TypeScript dependencies plus container base images – all governed under the same policy. One set of rules across your frontend, backend, and ECS workloads.

Helm charts – a native Cloudsmith format

Cloudsmith provides first-class Helm chart hosting and proxy support for your EKS deployments. Consistent policy from code to cluster, with the same audit trail as every other format.

NuGet, Terraform, and more

C# and .NET packages, Terraform providers, and 30+ additional formats all governed from one platform. Your entire software supply chain, under one policy and one audit log.

Regulation is tightening. Supply chain controls need to keep pace.

ISO 27001 re-certification demands evidence that your software supply chain is controlled and traceable. FDA biosecurity requirements mean the provenance of every artifact entering your manufacturing and lab systems must be demonstrable. And as Twist moves toward commercial-scale DNA data storage and expands biopharma partnerships, the regulatory surface area grows. Cloudsmith gives your compliance and security teams what they need: SBOM generation, policy enforcement with full audit trails, and artifact signing – built into your pipelines from day one.
  • Automated SBOM generation for every artifact in your supply chain
  • Vulnerability policy enforcement with full audit trails for ISO 27001 and FDA oversight
  • Artifact signing and provenance tracking across all 30+ supported formats
  • Evidence chain ready for compliance review – no separate tooling or manual assembly required
The most important capability for us is the ability to quarantine and block vulnerable artifacts. Ease of access to vulnerability information - and the ability to act on it - has been the biggest change for us.

Rich Dammkoehler

VP Architecture & Governance @ ConstructConnect

Before

ConstructConnect's InfoSec team demanded stronger supply chain security controls – but their tooling couldn't deliver. Vulnerability scanning existed, but enforcing policy compliance across a fragmented artifact estate was manual and inconsistent. Development teams spent time on pipeline workarounds instead of shipping features. With over 100 engineers working across npm, Helm, Maven, Python, NuGet, and Docker, the lack of centralized governance created real risk – and real overhead.

With Cloudsmith

ConstructConnect deployed Cloudsmith's Enterprise Policy Manager to automate quarantine and blocking of non-compliant and vulnerable packages. Vulnerability scanning, license scanning, package signing, and SBOM generation became part of every pipeline – not a separate compliance exercise. Only artifacts that pass scanning reach development teams. Multi-format repositories replaced a fragmented estate of individual repositories, cutting management overhead across the team.

Results
  • Governance scores improved quarter on quarter
  • Near-zero high and critical vulnerabilities across the supply chain
  • InfoSec team gained the visibility to act on vulnerabilities, not just identify them
  • Developers moved from managing pipeline workarounds to delivering features
  • Every artifact reaching production is verified and compliant
G2 logo
Customers love Cloudsmith
Momentum leaderBest resultsHigh performerMost implementableBest usability
Ready to see Cloudsmith in action?
Talk to our team about closing the supply chain governance gap across Twist Bioscience's polyglot engineering estate – from Python and Helm to Docker, EKS, and Terraform.