Formats/Composer

Control and secure your Composer dependencies

Cloudsmith gives PHP teams a fully managed, private Composer repository with built-in security scanning, granular access controls, and upstream proxying - so you always know exactly what is flowing into your builds.

Universal format support

Composer, plus 30 other formats. Cloudsmith is a secure store for all your packages, containers, and artifacts.

  • Use Composer + 30 other formats in one platform
  • Store PHP packages alongside Docker images, npm modules, and any other artifacts your stack needs
  • Proxy and cache Packagist and other upstream registries so your builds never depend on external availability

How we support Composer

Cloudsmith gives PHP teams a fully managed Composer repository with the security controls, performance, and multi-format flexibility modern development demands.
    Private Composer repositories
    Push and pull Composer packages using native tooling. Add your Cloudsmith repository to composer.json and authenticate with API keys or OIDC tokens - no workflow changes required.
    Vulnerability scanning
    Every uploaded package is scanned for CVEs. Build policies that automatically quarantine or block packages that breach your risk thresholds before they ever reach a developer.
    Upstream proxying and caching
    Replace direct Packagist pulls with Cloudsmith upstreams. Cache approved packages at the edge, apply policies before they reach your teams, and protect builds from public registry outages.
    Granular access controls
    Define exactly who can push, pull, or manage packages with role-based permissions, SAML SSO, and SCIM provisioning. Audit every action with full client and audit logs.
    Multi-format repositories
    Store Composer packages alongside Docker images, npm modules, Python wheels, and more in a single repository. One platform for your entire PHP stack and beyond.

Why teams choose Cloudsmith for Composer

Self-hosted Satis setups and ad-hoc VCS repositories leave PHP teams with fragile, insecure dependency chains. Cloudsmith replaces that complexity with a fully managed solution you can trust.
Without CloudsmithTeams rely on Satis or raw VCS repositories for private packages, requiring manual rebuilds and custom infrastructure that breaks under scale.
With CloudsmithCloudsmith gives you a fully managed private Composer repository. Push with cloudsmith push composer, pull with standard Composer tooling - no infrastructure to maintain.
Without CloudsmithOpen-source packages are pulled directly from Packagist on every build, creating a hard dependency on public registry availability and no visibility into what enters your codebase.
With CloudsmithUpstream proxying caches approved Packagist packages in Cloudsmith. Builds stay fast and reliable even when public registries are slow or down, and every package is scanned before it reaches your team.
Without CloudsmithAccess to private packages is controlled through personal SSH keys or shared tokens baked into composer.json, with no audit trail and no way to revoke access at scale.
With CloudsmithCloudsmith gives you fine-grained, token-based authentication backed by SAML SSO and SCIM. Revoke access instantly, enforce policies, and get a full audit log of every package pull.

Signs you're ready to switch to Cloudsmith for Composer

If your team is fighting your package infrastructure instead of shipping software, it is time for an upgrade. Cloudsmith removes the operational burden so your PHP developers can focus on code.
    Satis is slowing you down
    Every package update triggers a Satis rebuild. Cloudsmith gives you a live, always-current Composer repository with no manual rebuild steps and zero self-hosting overhead.
    No visibility into what enters your builds
    Pulling directly from Packagist gives you no control over vulnerable or malicious packages. Cloudsmith scans every package and lets you enforce policy before anything reaches your developers.
    Credentials are scattered and unaudited
    SSH keys and shared tokens hardcoded in composer.json create security exposure. Cloudsmith centralises authentication with scoped API keys, OIDC, SSO, and a full audit trail.
    Build failures from upstream outages
    When Packagist goes down, your builds fail. Cloudsmith's upstream caching keeps your pipelines running regardless of public registry availability.
    Composer is siloed from your other formats
    Separate tooling for PHP, Docker, npm, and other formats creates fragmented overhead. Cloudsmith manages every format your team uses from one platform, with consistent security and access controls.

Get started with Composer on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith implements the full Composer repository protocol. You add your repository URL to the repositories section of your composer.json and authenticate using an API key - the same workflow you use with any Composer-compatible registry.

  2. You can upload packages via the Cloudsmith CLI using the push composer command, or through the web UI. Cloudsmith also accepts .phar and zip archive formats. Contextual setup instructions with pre-configured snippets are available directly inside each repository.

  3. Yes. You can configure Cloudsmith as an upstream proxy for Packagist and other Composer registries. Packages are cached at the edge so your builds stay fast and resilient even if public registries are unavailable.

  4. Yes. Every package uploaded to Cloudsmith is scanned for CVEs. You can build policies to quarantine or block packages that breach defined risk thresholds, and receive alerts when new vulnerabilities are detected in packages already in your repositories.

  5. Cloudsmith supports API key authentication via HTTP headers in composer.json, as well as OIDC for CI/CD pipelines that support keyless auth. For teams, you can enforce SAML SSO and provision users via SCIM so access is always tied to your identity provider.

  6. Yes. All Cloudsmith repositories are multi-format. You can store Composer packages alongside Docker images, npm packages, Python wheels, and any other format your stack uses - all with consistent access controls and a single audit trail.

  7. Yes. Because Cloudsmith implements the standard Composer repository protocol, migration is straightforward. Update your repository URL in composer.json, upload your private packages, and configure any upstream proxies. No custom tooling or workflow changes are required.

  8. Cloudsmith gives you role-based permissions at the repository and package level. You can create scoped API keys with read-only or write access, integrate with your identity provider via SAML SSO, and automate provisioning with SCIM. Every action is recorded in the audit log.

  9. Yes. You can set a Cloudsmith repository to public, private, or open-source visibility. Public repositories are accessible without authentication, making Cloudsmith a viable option for teams distributing open-source PHP packages.

  10. Cloudsmith is built for high availability with redundancy across regions and a CDN-backed delivery network with 600 edge points of presence. For upstream-proxied packages, cached copies remain available to your builds even if the original upstream registry is unreachable.

Formats

There’s more than just Composer on Cloudsmith