Formats/Cargo

Secure, hosted Cargo registry for Rust teams

Cloudsmith gives your Rust teams a fully managed, private Cargo registry backed by enterprise-grade security, policy-as-code, and a global CDN. Proxy crates.io through Cloudsmith to apply vulnerability checks, license controls, and custom policies before any crate reaches your developers or AI agents.

Universal format support

Cargo and 30+ formats, one place. Cloudsmith is the secure artifact store for every dependency your Rust teams and AI agents rely on.

  • Use Cargo + 30 other formats
  • Store Docker container images alongside Rust crates in the same repository
  • Centralize ML models and raw binary assets with your Cargo dependencies

How we support Cargo

Cloudsmith gives Rust teams a fully managed Cargo registry that handles private crate hosting, OSS proxying, and supply chain security in one place.
    Public and private Cargo registries
    Host public or private Cargo registries with full support for both the Git-based index protocol and the Sparse registry protocol introduced in Cargo v1.68. Point your Cargo.toml at Cloudsmith and start publishing crates immediately.
    Vulnerability scanning and CVE policies
    Every crate that flows through Cloudsmith - whether published internally or proxied from crates.io - is scanned for CVEs. Define OPA Rego policies to quarantine, block, or flag crates that exceed your risk threshold before they reach any developer or AI agent.
    crates.io upstream proxying
    Cloudsmith supports crates.io as an upstream, letting you proxy and cache public crates through your private registry. Your teams always pull from a single, controlled source, with no direct public internet exposure for your build pipelines.
    Entitlement token and HTTP Basic auth
    Secure access to private Cargo repositories using Entitlement Tokens or HTTP Basic Authentication. Set per-token download and upload permissions to enforce least-privilege access across teams, CI systems, and automated pipelines.
    Full audit logs and observability
    Every push, pull, and policy decision is captured in Cloudsmith's audit and client logs. Export logs to your analytics stack or SIEM to maintain full traceability across every Cargo dependency your teams consume.

Why teams choose Cloudsmith for Cargo

Teams relying on crates.io directly face dependency sprawl, no security controls, and fragile self-hosted registries. Cloudsmith gives Rust teams a single, governed source of truth for every crate.
Without CloudsmithAI agents and developers pull crates directly from crates.io with no visibility or control over what enters your build. Vulnerable or poorly maintained crates reach production before anyone notices.
With CloudsmithAll Cargo dependencies - from AI agents and developers alike - flow through Cloudsmith. Policies scan every crate for CVEs and license issues before it is available, giving you a safe, controlled software supply chain.
Without CloudsmithRunning a self-hosted Cargo registry means ongoing maintenance, capacity planning, and operational risk. Downtime or misconfiguration blocks every Rust build across the organisation.
With CloudsmithCloudsmith is fully managed with 600+ edge PoPs and automatic elasticity. Your Cargo registry scales with your team and stays available, with no infrastructure to maintain or patch.
Without CloudsmithNo centralised record of which crates are used, by whom, or at what version. Audits are manual, slow, and incomplete - a serious problem when licence compliance or a supply chain breach is under scrutiny.
With CloudsmithCloudsmith captures every crate download and publish event in immutable audit logs. Compliance reviews, incident investigations, and licence audits are fast, accurate, and fully self-service.

Signs you're ready to switch to Cloudsmith for Cargo

If your Rust teams are hitting the limits of crates.io or a self-hosted registry, Cloudsmith removes the friction and adds the controls enterprise teams need.
    No security controls on crate ingestion
    crates.io has no built-in mechanism to block vulnerable or licence-incompatible crates. Cloudsmith proxies crates.io and applies your CVE and licence policies before any crate becomes available to developers or AI agents.
    Self-hosted registry is a maintenance burden
    Teams maintaining their own Cargo registry spend engineering time on infrastructure instead of product. Cloudsmith is fully managed, removing operational overhead while delivering higher availability and global distribution.
    Slow dependency resolution on large Rust monorepos
    Large Rust codebases with hundreds of crates suffer from slow index fetches and high bandwidth costs. Cloudsmith's Sparse registry support and CDN-backed caching reduce resolution times significantly compared to the Git index protocol.
    Cargo is the only format, but your stack has many
    Rust rarely ships alone: teams also manage Docker images, Python packages, and other artifacts. Cloudsmith hosts 30+ formats in the same platform, so your entire software supply chain lives under one roof with unified access control and auditing.
    No enterprise access controls on crate distribution
    Publishing crates to crates.io is public by default, with limited access management for internal distributions. Cloudsmith gives you granular entitlement tokens, OIDC support, and SAML/SSO so the right people and systems access the right crates.

Get started with Cargo on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith supports both the traditional Git-based index protocol and the Sparse registry protocol introduced in Cargo v1.68. The Sparse protocol is recommended because it reduces bandwidth and improves dependency resolution speeds significantly compared to cloning the full index.

  2. Yes. Cloudsmith supports crates.io as an upstream source. You can configure your Cloudsmith repository to proxy requests for public crates, cache them locally, and apply your security and licence policies before making them available to your teams.

  3. Cloudsmith supports Entitlement Token authentication and HTTP Basic authentication for private Cargo repositories. You can configure credentials in your .cargo/config.toml file or pass them via environment variables such as CARGO_REGISTRIES_<NAME>_TOKEN. For Cargo versions below 1.74, URL-based authentication with the Sparse protocol is also supported.

  4. Yes. Every crate pushed to or proxied through Cloudsmith is scanned for known CVEs. You can define OPA Rego policies to automatically quarantine or block crates that exceed your acceptable risk threshold, keeping vulnerable dependencies out of your build pipeline.

  5. You can push your existing crates to Cloudsmith using the Cloudsmith CLI or the standard cargo publish command. Update your .cargo/config.toml to point at your Cloudsmith registry URL and you are ready to go. Our team is available to support migrations of any scale.

  6. Yes. Cloudsmith works with all major CI systems including GitHub Actions, GitLab CI, Jenkins, CircleCI, and Buildkite. You can pass authentication credentials via environment variables, ensuring your pipelines pull and publish crates securely without storing secrets in source code.

  7. Yes. Cloudsmith's policy engine can inspect the licence metadata extracted from each crate and block or flag crates with prohibited licences before they are made available. This is critical for commercial software teams who cannot incorporate certain open source licences into their codebase.

  8. Yes. Cloudsmith supports 30+ package formats in a single platform, and a single repository can hold multiple formats. This means your Rust crates, Docker images, Python packages, and other artifacts all live under one roof with unified access control, audit logging, and policy enforcement.

  9. Cloudsmith acts as the single source of truth for all crates demanded by AI agents and developers. By pointing agent package managers at Cloudsmith, every crate is checked against your policies before use. This prevents AI agents from ingesting vulnerable, poorly maintained, or licence-incompatible crates from public registries.

  10. Cloudsmith is a fully managed SaaS platform backed by a global CDN with 600+ edge points of presence. It is designed for high availability with automatic elasticity, meaning your Cargo registry scales with demand and stays available without any infrastructure management on your part. Enterprise SLA options are available.

Formats

There’s more than just Cargo on Cloudsmith