Formats/Gradle

Secure, cloud-native Gradle artifact management on Cloudsmith

Cloudsmith gives your Java and JVM teams a fully-managed, private Gradle repository with global reach, fine-grained access control, and governance policies that keep every dependency clean. Stop wrestling with self-hosted infrastructure and focus on shipping software.

Universal format support

Simplify and streamline operations. Cloudsmith is a secure store for all packages, containers and assets.

  • Use Gradle + 30 other formats
  • Store Maven JARs alongside Gradle publications in the same repository
  • Centralize Docker container images and raw binaries next to your JVM artifacts

How we support Gradle

Cloudsmith gives JVM and Android teams a fully-managed Gradle repository that integrates with native tooling, supports both Groovy and Kotlin DSL configurations, and delivers packages via a global CDN with no infrastructure to maintain.
    Native Gradle and Maven API support
    Cloudsmith exposes a Maven-compatible endpoint, so your existing build.gradle files work without modification. Both Groovy and Kotlin DSL configurations are supported via entitlement token or HTTP Basic auth.
    Global CDN delivery
    Packages are served from 600+ edge PoPs worldwide. Distributed teams resolve dependencies from the nearest node, cutting build times without any additional configuration.
    Governance and policy enforcement
    Create and enforce OPA Rego policies governing which modules are permitted in your repositories. Block specific versions, require specific metadata fields, or quarantine packages that do not meet your criteria before any team member installs them.
    Upstream proxying and caching
    Proxy Maven Central, Google, and other remote repositories through Cloudsmith. Packages are cached on first pull, giving you faster subsequent downloads and an isolated fallback if upstream registries go down.
    Granular access and team controls
    Assign repository-level read, write, or admin permissions per team or service account. Entitlement tokens scope access to specific repositories, making it straightforward to distribute artifacts to CI systems or external consumers.

Why teams choose Cloudsmith for Gradle

Fragmented registries and self-hosted repository managers create slow builds, security blind spots, and operational toil. Cloudsmith removes that overhead and gives your teams a single, reliable place for every Gradle artifact.
Without CloudsmithDependency resolution is slow and unpredictable. Teams pulling from Maven Central or a remote S3-backed repository hit network timeouts and inconsistent latency, stalling CI pipelines mid-build.
With CloudsmithCloudsmith serves Gradle artifacts from 600+ global edge nodes. Dependencies resolve fast wherever your engineers and CI runners are located, with no configuration changes needed in your build scripts.
Without CloudsmithThere is no central control over which modules are allowed into builds. Any version of any package can be pulled by any developer, leaving teams exposed to transitive dependency conflicts and unapproved libraries.
With CloudsmithOPA Rego governance policies let you define exactly which modules are permitted, block specific versions, and quarantine non-compliant packages automatically before they reach a single developer machine.
Without CloudsmithSelf-hosted Nexus or Artifactory instances require dedicated ops effort to maintain availability, apply patches, and scale storage. Outages cascade directly into broken builds across every team that depends on them.
With CloudsmithCloudsmith is fully managed with no servers to provision or patch. High availability is built in, and Cloudsmith's team handles infrastructure so your engineers can focus on building product rather than maintaining tooling.

Signs you're ready to switch to Cloudsmith for Gradle

If your current Gradle repository setup is slowing down pipelines, creating security gaps, or demanding too much ops attention, Cloudsmith is the upgrade your team needs.
    Slow dependency resolution everywhere
    Teams pulling Gradle packages from a single self-hosted instance or directly from Maven Central face latency that compounds across every CI run. Cloudsmith's CDN-backed delivery resolves this at the infrastructure level, not through fragile workarounds.
    No governance over which packages enter your builds
    Without policy enforcement, any version of any module can end up in a build. Cloudsmith gives you OPA Rego policies to block prohibited versions, quarantine packages that fail metadata checks, and enforce standards before anything reaches developers.
    Self-hosted infrastructure eating engineering time
    Keeping Nexus or Artifactory patched, backed up, and highly available is continuous undifferentiated work. Cloudsmith is fully managed: no servers, no maintenance windows, and no on-call rotation for your repository layer.
    Weak multi-format support fragments your toolchain
    JVM teams often need Maven, Gradle, Docker, and raw artifacts in close proximity. Cloudsmith repositories are multi-format by default, letting you store every artifact type in one place rather than managing a separate registry per format.
    Access control is coarse or nonexistent
    Shared credentials and broad repository access are common in self-hosted setups. Cloudsmith gives you per-repository entitlement tokens, team-level permissions, and full audit logs so you always know who published or downloaded what.

Get started with Gradle on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith exposes a Maven-compatible endpoint that works with any valid Gradle configuration, whether you write your build scripts in Groovy DSL or Kotlin DSL. You add the repository URL to your build.gradle or build.gradle.kts file and configure authentication using entitlement tokens or HTTP Basic credentials.

  2. Cloudsmith supports entitlement token authentication and HTTP Basic authentication. Entitlement tokens require no additional credentials configuration in your build file, making them well-suited for CI/CD pipelines. HTTP Basic credentials can be stored securely in your ~/.gradle/gradle.properties file to keep them out of version control.

  3. Yes. Cloudsmith upstream proxying lets you route requests for external Gradle and Maven dependencies through your Cloudsmith repository. Packages are cached on first pull and served from Cloudsmith's global CDN on subsequent requests, which speeds up builds and insulates your team from upstream outages or rate limits.

  4. Cloudsmith's policy engine lets you write OPA Rego rules that govern which packages and versions are permitted in each repository. You can block specific module versions, require metadata fields, or quarantine packages that fail your criteria. Non-compliant packages are held in quarantine and never served to developers until they are reviewed and approved.

  5. Yes. All Cloudsmith repositories are multi-format. You can store Gradle and Maven publications, Docker container images, raw binaries, and artifacts in 30+ other formats in the same repository. This removes the need to maintain a separate registry for each format your team uses.

  6. Cloudsmith's support team can guide you through migrating existing artifacts and reconfiguring your build scripts to point at Cloudsmith endpoints. For most teams the change is a single URL update in build.gradle, plus credentials configuration. Upstream proxying means you can continue to access external packages without rebuilding your dependency strategy from scratch.

  7. Cloudsmith delivers packages through a CDN backed by 600+ global edge points of presence. Teams resolve dependencies from the node closest to their location, which significantly reduces latency compared to a single-region self-hosted server. Upstream caching means that once a remote dependency is pulled it is served from Cloudsmith on every subsequent request.

  8. Yes. You can configure separate Cloudsmith repositories for snapshot and release publications and reference both in your build.gradle publishing block. Cloudsmith's endpoint structure supports the standard Maven URL conventions that Gradle uses to differentiate between snapshot and non-snapshot artifacts.

  9. Cloudsmith gives you per-repository entitlement tokens that can be scoped to read-only or read-write access, plus team-level permission management through the web UI or API. Every publish and download action is recorded in immutable audit logs, so you have a complete trail of who accessed or modified each artifact.

  10. Cloudsmith is fully managed. There are no servers to provision, no storage to size, and no maintenance windows to schedule. Cloudsmith handles availability, scaling, and updates, so your team is never on-call for your repository layer. This makes it a direct replacement for self-hosted Nexus or Artifactory deployments that consume ongoing engineering time.

Formats

There’s more than just Gradle on Cloudsmith