35,000 build jobs a day. Volvo Cars' platform team shouldn't be managing the infrastructure behind them.

Cloudsmith is supply chain security for teams that have already chosen consolidation. No infrastructure to operate. No on-call load for the artifact layer.

Book a technical conversation
Discover our supply chain security approach

What Cloudsmith gives Volvo Cars

  1. 30+ package formats, one platform
    PyPI, Docker, Maven, Conan, Helm, Debian, RPM, and more. One platform for every format Volvo Cars' software teams depend on, without changing the way they work.
  2. Scanning on every artifact, at ingestion
    Cloudsmith scans every package when it enters the registry, then re-scans when new CVEs are disclosed. Coverage is complete by default, not something you configure per team.
  3. Zero maintenance overhead
    Fully managed means no patching, no upgrades, no capacity planning. The platform team owns the configuration, not the infrastructure behind it.

One consolidation decision made the artifact layer visible. Now it needs to be reliable.

Volvo Cars has made a single unified software stack the foundation of every future vehicle it builds. Moving from a fragmented multi-cloud setup to a single EKS deployment running 35,000+ build and test jobs daily was the right call. It reduced complexity and gave the platform team something manageable to own. The same logic applies to the artifact layer. A self-hosted artifact store requires patching, upgrades, capacity planning, and someone accountable when it breaks. At 35,000 builds a day, that someone is the platform team. Every hour spent on artifact infrastructure is an hour not spent on the tooling 2,000 developers actually use. Cloudsmith is fully managed artifact management. Volvo Cars configures the platform. Cloudsmith runs it.

    What changes when the artifact layer is managed infrastructure

    Self-hosted artifact management at Volvo Cars' scale creates operational obligations that accumulate quietly. These are the failure modes that follow the platform team into every on-call rotation.
    Self-hosted artifact managementUpgrades and patches are the platform team's responsibility. A major version release means planning, testing, and a maintenance window. Minor releases accumulate until someone has time.
    With CloudsmithCloudsmith handles upgrades, patches, and infrastructure maintenance. The platform team gets new capabilities when they're released. No maintenance windows, no version debt.
    Self-hosted artifact managementVulnerability scanning requires a separate plugin or add-on configured for each repository. Coverage depends on which teams set it up correctly. At 1,000+ repositories, full coverage is a goal, not a guarantee.
    With CloudsmithCloudsmith scans every artifact on ingestion against OSV, Trivy, and other vulnerability databases. When a new CVE is disclosed, Cloudsmith re-scans existing packages automatically. Set policy once and it applies across every repository.
    Self-hosted artifact managementPolicy enforcement is uneven across repositories. Teams configure their own rules, or don't. License compliance and vulnerability thresholds depend on individual repository settings. Auditing policy consistency across 1,000+ repositories is a manual exercise.
    With CloudsmithCloudsmith applies OPA Rego-based policy consistently across every repository in the organization. Define the rules once. Cloudsmith enforces them everywhere, on every format, for every team.
    How Cloudsmith works for Volvo Cars

    Built for embedded software teams and the CI platform behind them.

    Cloudsmith supports the package formats that Volvo Cars' embedded and application software teams depend on, and integrates natively with the toolchain that the platform team already runs.

    Native support for embedded and application formats

    PyPI, Docker, Maven, Conan, Debian, RPM, Helm, and 25+ more. One platform for the formats Volvo Cars' software-defined vehicle program and application teams both use. Engineers point at Cloudsmith; the format support is already there.

    Upstream proxying and caching

    Cloudsmith proxies public registries and caches packages locally across 600+ edge PoPs. Build jobs resolve artifacts fast regardless of where your EKS nodes are running. Upstream dependencies route through Cloudsmith, so policy applies to them too.

    Continuous vulnerability scanning

    Every artifact is scanned at ingestion, then re-scanned when new CVEs are disclosed. Packages that exceed Volvo Cars' policy thresholds are automatically quarantined. Security coverage doesn't depend on team-level configuration.

    Policy enforcement with OPA Rego

    Write policy as code using OPA Rego. Version-control the rules alongside your other platform configuration. Apply them consistently across every repository, every format, every team. License compliance, vulnerability severity thresholds, and approved package lists all enforced in one place.

    Full audit trail and SIEM integration

    Every push, pull, and policy event is logged with full context: who, what, when, and source. Logs can be exported to the systems that Volvo Cars already uses. Client logs and audit logs provide security and compliance teams with the traceability they need without involving the platform team.

    SBOM generation and package signing

    Cloudsmith generates SBOMs across your container images and signs packages with GPG and PGP standards. Every artifact has a verifiable chain of custody.

    Managed infrastructure means Volvo Cars' platform engineers can focus on the software that goes in cars.

    The platform engineering team at a company building software-defined vehicles has a finite amount of engineering time. The artifact layer is not where that time should go. Self-hosted artifact management at scale is a genuine operational burden: upgrades that require coordination, capacity incidents during build spikes, scanning configurations that drift across teams, and on-call rotations for infrastructure that should be invisible. Cloudsmith removes that load. The platform team configures and governs the artifact layer. Cloudsmith then enforces these policies across every repository. The infrastructure behind it is Cloudsmith's responsibility to run, scale, and maintain. Your engineers spend their time on the tooling and developer experience that 2,000 people actually depend on.
    Teams at scale trust Cloudsmith
    Cloudsmith just works - whether it's failover, automation, or support. It's the first platform we've used that feels like a true partner in how we build and operate software.

    Michael Boldischar

    Software Engineering Manager @ Thrivent

    The challenge

    Thrivent relied on a single on-prem artifact server hosted in their data center. Geographically distributed teams experienced inconsistent package delivery, slow build times, and mounting infrastructure maintenance overhead.

    With Cloudsmith

    Teams no longer needed to maintain databases, optimize edge nodes, or manage on-prem infrastructure. Cloudsmith's high-concurrency architecture removed the bottlenecks that had been slowing pipelines during peak CI/CD demand.

    Results
    • Artifact management incidents decreased by 62%
    • Significantly reduced infrastructure costs and maintenance overhead
    • Consistent, low-latency artifact access for distributed teams
    G2 logo
    Trusted by platform and security teams at companies building at scale.
    Momentum leaderLeaderHighest user adoption

    See what Cloudsmith looks like in Volvo Cars' environment

    30+ package formats. Upstream proxying with 600+ edge PoPs. Continuous vulnerability scanning at ingestion. OPA Rego policy enforcement across every repository. No infrastructure to operate. Book a technical conversation and we'll show you how it works with your EKS setup and the toolchain your platform team already runs.