Every language ecosystem. One governed artifact layer.

Every language ecosystem is a separate attack surface with its own registries and its own policies to maintain. One misconfigured registry or unscanned dependency is all it takes. Cloudsmith gives you a single governed layer across your entire SDK estate — consistent policy, consistent enforcement, across every pipeline.

See how Cloudsmith works

Why Cloudsmith

  1. One registry across every SDK language you ship
    Java, Kotlin, Scala, Python, Go, Rust, Swift, C#, and more. Every format in one platform, with one policy and one audit log. No more patching together separate registries per ecosystem.
  2. A consistent artifact layer, regardless of how your teams build
    Different teams, different pipelines, one governed artifact layer. Cloudsmith integrates across your full pipeline estate without requiring each team to manage their own registry.
  3. Fully managed, works across all your environments
    No registry infrastructure to run or maintain. Cloudsmith is cloud-native and fully managed, giving your teams a consistent artifact layer across all your environments.

The Cloudsmith difference for Vonage

Vonage's engineering organisation already operates serious security controls. But artifact governance across a polyglot estate spanning multiple CI/CD systems and cloud environments is a different challenge. Those controls operate at the application and infrastructure layer. Open-source dependencies enter your containers, your SDKs, and your Kubernetes workloads through registries that were never designed to be governed at that scale. Cloudsmith is the layer that closes that gap.
Your current positionMultiple language ecosystems, each pulling from separate public registries with no consistent policy applied.
With CloudsmithCloudsmith consolidates every format into a single governed layer — one policy, one audit log, one source of truth across your entire SDK estate.
Your current positionMultiple CI/CD pipelines across your engineering organisation, each team consuming artifacts through its own workflow with no shared enforcement layer.
With CloudsmithCloudsmith integrates with every pipeline in your estate. Consistent artifact access, consistent policy enforcement, and a single audit trail regardless of which CI system a team uses.
Your current positionCloud-native package registries cover some formats in some environments, but no single tool spans your full stack or your full cloud footprint.
With CloudsmithCloudsmith is cloud-neutral — one registry that works across your AWS and Azure environments, with native support for Helm, Docker, and every package format your teams use.
Your current positionMultiple source control platforms in use across teams. No single SCM's native package registry can serve all of them, leaving gaps in governance that each team fills differently.
With CloudsmithCloudsmith sits independently of any SCM. Every team — regardless of whether they use GitLab, GitHub, BitBucket, or Azure Repos — publishes and consumes through the same governed layer.

One platform for every format your engineers depend on

A polyglot estate means a fragmented registry estate — separate tools, separate access policies, and separate audit trails for each language ecosystem. Cloudsmith replaces that sprawl with a single platform that covers every format your engineers depend on, all under one consistent policy engine and one audit log.
  • Replace fragmented per-ecosystem registries with a single governed layer
  • Native Helm chart hosting for your EKS, Argo CD, and Flux CD workflows
  • Maven, Gradle, PyPI, Cargo, CocoaPods, NuGet, npm — all first-class formats
  • One access policy, one audit log, across AWS and Azure environments
Further reading

The threat is not theoretical

Recent supply chain attacks show exactly how attackers exploit the gap between dependency consumption and security scanning — including campaigns that specifically target npm, Python, and container ecosystems used across communications and developer platform engineering.
Cooldown policies

Packages your teams depend on, under active attack

Modern development moves fast. Packages are published continuously, and attackers exploit the window between publication and detection. Cloudsmith's cooldown policies hold newly published package versions in quarantine for a configurable period before they can reach any build system or container runtime – structurally eliminating an entire class of attack that pipeline scanning cannot stop.

Axios – 100 million weekly downloads, March 2026

A North Korean state actor compromised the Axios npm account and published two malicious versions carrying a phantom dependency created less than 24 hours earlier. The malicious versions were live for roughly 3 hours – enough to compromise any pipeline running a fresh install. A cooldown policy would have blocked the phantom dependency at ingestion before it reached a single build.

Shai-Hulud / Mini Shai-Hulud – self-replicating npm worm, 2025–2026

An ongoing self-replicating npm worm steals maintainer credentials and publishes malicious versions of every package that maintainer controls – with valid provenance attestations, meaning integrity checks pass. Teams with cooldown policies active were not exposed. Teams relying on pipeline scanning alone were.
Why Vonage's engineering organisation needs Cloudsmith

Scale, complexity, and a serious governance obligation

A communications platform serving developers across every major language means a registry estate that spans Java, Kotlin, Python, Go, Rust, Swift, and more — each with its own upstream registries and its own risk profile. Managing that consistently across multiple CI/CD systems and cloud environments isn't something generic DevOps tooling was designed for. Cloudsmith was.

Polyglot at scale

Your SDK estate spans multiple language ecosystems, each with its own upstream registries and its own risk profile. Cloudsmith governs all of them from one platform — one policy, applied consistently, regardless of format.

Multiple CI/CD systems, one governed layer

Different teams build and ship differently. Cloudsmith integrates across your full pipeline estate without requiring each team to manage their own registry or enforce their own policy.

Cloud-native, fully managed

No registry infrastructure to run or maintain across your AWS and Azure environments. Cloudsmith is fully managed and works across both, giving your teams a consistent artifact layer without the operational overhead.

Every format. One policy. Zero exceptions.

Python, TypeScript, JavaScript, Rust, C#, Docker, Helm, and Terraform. Each ecosystem is its own attack surface with its own registries and its own risk profile. Cloudsmith gives you a single governed layer across all of them – one policy, one audit log, one source of truth.

Python and Rust

Cloudsmith proxies PyPI and crates.io consumption through a governed layer – scanning for malware and CVEs before any package reaches your lab software or backend services.

npm and Docker

JavaScript and TypeScript dependencies plus container base images – all governed under the same policy. One set of rules across your frontend, backend, and ECS workloads.

Helm charts – a native Cloudsmith format

Cloudsmith provides first-class Helm chart hosting and proxy support for your EKS deployments. Consistent policy from code to cluster, with the same audit trail as every other format.

NuGet, Terraform, and more

C# and .NET packages, Terraform providers, and 30+ additional formats all governed from one platform. Your entire software supply chain, under one policy and one audit log.

Compliance surface area grows with your platform. Your supply chain controls need to keep pace.

As Vonage's platform grows and your developer ecosystem expands, so does the compliance and security surface area attached to your software supply chain. Every new language ecosystem, every new CI/CD integration, every new cloud environment is another vector that needs consistent governance. Cloudsmith gives your security and compliance teams what they need: policy enforcement with full audit trails, SBOM generation, and artifact signing — built into your pipelines from day one.
  • Automated SBOM generation for every artifact in your supply chain
  • Vulnerability policy enforcement with full audit trails
  • Artifact signing and provenance tracking across all supported formats
  • Evidence chain ready for compliance review — no separate tooling or manual assembly required
The most important capability for us is the ability to quarantine and block vulnerable artifacts. Ease of access to vulnerability information - and the ability to act on it - has been the biggest change for us.

Rich Dammkoehler

VP Architecture & Governance @ ConstructConnect

Before

ConstructConnect's InfoSec team demanded stronger supply chain security controls – but their tooling couldn't deliver. Vulnerability scanning existed, but enforcing policy compliance across a fragmented artifact estate was manual and inconsistent. Development teams spent time on pipeline workarounds instead of shipping features. With over 100 engineers working across npm, Helm, Maven, Python, NuGet, and Docker, the lack of centralized governance created real risk – and real overhead.

With Cloudsmith

ConstructConnect deployed Cloudsmith's Enterprise Policy Manager to automate quarantine and blocking of non-compliant and vulnerable packages. Vulnerability scanning, license scanning, package signing, and SBOM generation became part of every pipeline – not a separate compliance exercise. Only artifacts that pass scanning reach development teams. Multi-format repositories replaced a fragmented estate of individual repositories, cutting management overhead across the team.

Results
  • Governance scores improved quarter on quarter
  • Near-zero high and critical vulnerabilities across the supply chain
  • InfoSec team gained the visibility to act on vulnerabilities, not just identify them
  • Developers moved from managing pipeline workarounds to delivering features
  • Every artifact reaching production is verified and compliant
G2 logo
Customers love Cloudsmith
Momentum leaderBest resultsHigh performerMost implementableBest usability
Ready to see Cloudsmith in action?
Talk to our team about consolidating your artifact estate into a single governed layer across every language ecosystem, every pipeline, and all your cloud environments.