Formats/Conan

Secure, cloud-native Conan repository management

Cloudsmith gives C and C++ teams a fully managed, private Conan repository that supports both Conan 2.0 and 1.0, with built-in security scanning, fine-grained access control, and global distribution across 600+ edge points of presence.

Universal format support

Centralise your C and C++ artifacts. Cloudsmith is a secure, managed store for Conan packages and every other format your teams depend on.

  • Use Conan + 30 other formats in a single platform
  • Manage private C/C++ binaries across all platforms and architectures
  • Centralise Conan packages alongside containers, OS packages, and raw assets

How we support Conan

Cloudsmith gives C and C++ teams a fully managed Conan registry, with the security, compliance, and distribution controls that self-hosted or ad-hoc solutions can't match.
    Conan 2.0 and 1.0 support
    Cloudsmith supports both Conan 2.0 and the legacy 1.0 protocol, so your teams can migrate at their own pace without breaking existing pipelines.
    Vulnerability scanning
    Scan every uploaded Conan package for CVEs and malware. Enforce quarantine rules automatically so known-bad packages never reach your builds.
    Global CDN delivery
    Packages are served from 600+ edge points of presence worldwide, cutting download times for distributed C/C++ teams regardless of platform or region.
    Granular access control
    Use OIDC, SAML/SSO, and token-based entitlements to control exactly who can push or pull packages, down to the individual repository level.
    Policy-as-code enforcement
    Write OPA Rego policies to gate which Conan packages enter your repositories, block vulnerable versions, and enforce licence compliance automatically.

Why teams choose Cloudsmith for Conan

C and C++ teams spend too much time wrestling with fragile self-hosted registries and insecure ad-hoc binary sharing. Cloudsmith eliminates that friction.
Without CloudsmithTeams share C/C++ binaries via network drives, Git submodules, or unmanaged Artifactory instances - leading to broken builds and no audit trail.
With CloudsmithCloudsmith gives every team a private, versioned Conan repository with full client and audit logs, so you always know what was pulled and when.
Without CloudsmithVulnerability scanning is manual or non-existent. A malicious or outdated C/C++ dependency can ship undetected to production.
With CloudsmithEvery package upload is scanned for CVEs and malware automatically. Policy rules quarantine non-compliant packages before they touch your pipelines.
Without CloudsmithGlobally distributed teams suffer slow binary downloads because a self-hosted registry is anchored to a single region, compounding already long C++ build times.
With CloudsmithCloudsmith's 600+ edge PoPs serve Conan packages from the closest location to each developer, slashing download times and speeding up CI pipelines.

Signs you're ready to switch to Cloudsmith for Conan

Self-hosted registries and ad-hoc binary sharing work until they don't. If any of these sound familiar, Cloudsmith is the upgrade your C/C++ team needs.
    Build times keep creeping up
    A single-region self-hosted registry forces every global team member to pull large C/C++ binaries across a slow WAN. Cloudsmith's edge network eliminates that bottleneck.
    No visibility into what's in your binaries
    Without automated scanning, a vulnerable C/C++ dependency can slip into production undetected. Cloudsmith scans every Conan package and surfaces CVEs before they reach your builds.
    Access control is all or nothing
    Flat-permission registries give teams either full access or none. Cloudsmith's per-repository, per-team entitlements let you enforce least-privilege across every Conan feed.
    Your registry only handles Conan
    Juggling separate registries for Conan, Docker, and OS packages is a maintenance tax. Cloudsmith consolidates 30+ formats in one platform, reducing infrastructure complexity.
    Compliance audits are a nightmare
    Without an immutable audit trail, proving what was shipped and when is guesswork. Cloudsmith's full client and audit logs give you the evidence you need for any compliance review.

Get started with Conan on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith supports both Conan 2.0 and the legacy 1.0 protocol, so your teams can migrate at their own pace without disrupting existing pipelines or recipes.

  2. Use the native Conan CLI: run conan remote add and authenticate with your Cloudsmith API key or OIDC token. Full setup steps are in our Conan documentation at docs.cloudsmith.com.

  3. Yes. All repositories on Cloudsmith are private by default, with fine-grained access controls per repository and per team. You can also create public repositories for open source distribution.

  4. Yes. Every package uploaded to Cloudsmith is automatically scanned for CVEs and malware. You can configure policy rules to quarantine or reject packages that exceed a defined severity threshold.

  5. Cloudsmith stores Conan packages as uploaded, preserving the full binary model including settings like OS, compiler, architecture, and build type. Teams retrieve exactly the binary they need using standard Conan profile resolution.

  6. Yes. Cloudsmith supports OIDC for CI/CD authentication and SAML/SSO for team and identity provider integration, so you can enforce organisation-wide access policies without managing static credentials.

  7. Cloudsmith serves packages from 600+ edge points of presence worldwide. Teams pull pre-built Conan binaries from the nearest PoP rather than recompiling from source or downloading from a distant single-region registry, cutting CI download times significantly.

  8. Yes. Cloudsmith supports upstream proxying and caching, so you can route ConanCenter pulls through your private Cloudsmith repository. This lets you apply security policies to all open-source Conan packages before they reach your teams.

  9. Yes. Cloudsmith's policy engine uses OPA Rego, letting you write declarative rules that gate which packages can enter a repository, block specific CVE severities, and enforce licence requirements - all enforced automatically on every push.

  10. You can upload existing packages directly via the Cloudsmith CLI, REST API, or native Conan tooling. Our team can guide you through a migration plan - book a demo to discuss your specific environment and package volumes.

Formats

There’s more than just Conan on Cloudsmith