Formats/Alpine

Secure, private Alpine repository hosting on Cloudsmith

Alpine Linux is a lightweight, security-focused Linux distribution widely used as the base for Docker containers and embedded systems. Cloudsmith gives you a fully managed, cloud-native Alpine repository that scales with your team, supports native apk tooling, and gives you complete control over access and security.

Universal format support

One platform for all your artifacts. Cloudsmith is a secure, centralized store for Alpine packages, containers, and more.

  • Use Alpine + 30 other formats
  • Proxy and cache upstream Alpine Linux mirrors to protect builds from outages
  • Manage Alpine packages alongside Docker containers in a single repository

How we support Alpine

Cloudsmith gives you a fully managed Alpine repository with everything your team needs to push, pull, and secure APK packages using native tooling.
    Native APK compatibility
    Push and pull Alpine packages using standard apk tooling. Cloudsmith provides APK-compatible repository endpoints that work with your existing workflows without any additional configuration.
    RSA-signed repositories
    Every Cloudsmith Alpine repository is RSA-signed so clients can verify package authenticity via apk. Entitlement token and HTTP Basic authentication protect private repositories.
    Vulnerability scanning and policy enforcement
    Automatically scan Alpine packages for CVEs and apply OPA Rego policies to quarantine or block packages that violate your security standards before they reach your teams.
    Upstream proxying and caching
    Proxy and cache packages from Alpine Linux mirrors so your builds never fail due to upstream outages. Cloudsmith keeps a permanent local copy of every package your pipelines depend on.
    Multi-format repositories
    Store Alpine packages alongside Docker images, Debian packages, Python wheels, and 30 other formats in the same Cloudsmith repository. One platform, one bill, full control.

Why teams choose Cloudsmith for Alpine

Teams using Alpine Linux in Docker-heavy pipelines hit the same walls: broken builds from upstream package removal, no version pinning, and zero security controls. Cloudsmith fixes all of it.
Without CloudsmithUpstream Alpine mirrors remove or replace package versions without warning, causing Docker builds to fail mid-pipeline when a specific version of a package disappears.
With CloudsmithCloudsmith caches every package version your pipelines pull, so builds always resolve the exact version they need, regardless of what happens upstream.
Without CloudsmithAlpine's public repositories lack strict version retention, making it impossible to lock package versions reliably and guarantee identical, reproducible builds across environments.
With CloudsmithCloudsmith gives you a private repository with stable, immutable package storage. Your teams pin exact versions and reproduce builds consistently, every time.
Without CloudsmithSelf-hosted or ad-hoc Alpine repositories have no built-in security scanning, no policy enforcement, and no audit trail, leaving teams blind to CVEs in their APK dependencies.
With CloudsmithCloudsmith scans every Alpine package for vulnerabilities, enforces OPA Rego policies automatically, and produces a full audit log so your security team has complete visibility.

Signs you're ready to switch to Cloudsmith for Alpine

If your current Alpine setup is blocking builds, creating security blind spots, or demanding constant maintenance, Cloudsmith is the upgrade. Here is what teams tell us pushes them to switch.
    Upstream package removal breaks your Docker builds
    Alpine's public mirrors prune old package versions regularly. If your Dockerfiles reference a specific version that disappears, your build fails. Cloudsmith caches upstream packages permanently so this never happens.
    No security scanning on your APK dependencies
    Running Alpine packages without vulnerability scanning is a supply chain risk. Cloudsmith automatically scans every package for CVEs and lets you define policies that quarantine or block risky packages before they reach production.
    Self-hosted infrastructure you don't want to manage
    Running your own Alpine mirror means patching servers, managing storage, and handling failover. Cloudsmith is fully managed: no servers to maintain, no downtime to babysit, and 99.9% uptime backed by a global CDN.
    Fragmented tooling across formats
    Teams using Alpine alongside Docker, Python, or Debian end up with multiple registries and tooling to manage. Cloudsmith consolidates all 30+ formats into one repository, one access model, and one audit trail.
    Access control that doesn't scale with your team
    Sharing Alpine packages with customers or partners using shared credentials is a security risk. Cloudsmith's entitlement token system gives each consumer a unique, revocable token with fine-grained permissions.

Get started with Alpine on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith provides APK-compatible repository endpoints so you can use standard apk commands to push and pull packages without any additional plugins or wrappers. Setup instructions with copy-paste snippets are available directly inside each repository.

  2. Private repositories support Entitlement Token Authentication and HTTP Basic Authentication. Entitlement tokens can be scoped, time-limited, and revoked individually, giving you fine-grained control over who can access each repository.

  3. Yes. Every Cloudsmith Alpine repository is signed with an RSA key. Clients verify package integrity via apk using the public key, ensuring packages have not been tampered with in transit.

  4. Yes. Cloudsmith supports upstream proxying and caching for Alpine Linux mirrors. Requested packages are fetched and permanently stored in your Cloudsmith repository, protecting your builds from upstream outages or version removal.

  5. Alpine and Wolfi both use the APK format but are distinct, incompatible distributions. Cloudsmith automatically detects the distribution at upload time. You should use separate Cloudsmith repositories for Alpine and Wolfi packages to avoid conflicts.

  6. Cloudsmith caches specific package versions from upstream mirrors permanently. This means the exact version your Dockerfile requests is always available, eliminating the broken builds that occur when Alpine's public mirrors remove or replace package versions.

  7. Cloudsmith automatically scans every uploaded Alpine package for known CVEs and malware. You can define OPA Rego policies to quarantine or block packages based on vulnerability severity, ensuring risky packages never reach your build pipelines.

  8. Yes. All Cloudsmith repositories are multi-format, meaning Alpine packages can sit alongside Docker images, Debian packages, Python wheels, and 30+ other formats in the same repository with a single access model and unified audit trail.

  9. You can upload existing APK packages to Cloudsmith via the CLI, REST API, or web app. Configure Cloudsmith as an upstream proxy for your existing mirrors to cache packages automatically, then update your /etc/apk/repositories entries to point at Cloudsmith. Your team's apk commands continue to work without modification.

  10. Cloudsmith supports all Alpine Linux release branches. The distribution and codename are specified at upload time and automatically detected at install time. You can also force a specific distribution and codename using the setup script parameters provided in the Cloudsmith repository setup instructions.

Formats

There’s more than just Alpine on Cloudsmith