Formats/Lua

Secure, private Lua module hosting for your entire team

Cloudsmith gives your team a fully managed LuaRocks repository with global distribution, fine-grained access control, and built-in vulnerability scanning. Push and pull modules using native tools, with zero infrastructure to operate.

Universal format support

Centralize your Lua modules. Cloudsmith is a secure, managed store for all your packages and artifacts.

  • Use Lua + 30 other formats in a single repository
  • Store and distribute rockspec, source, and binary rocks together
  • Manage Lua modules alongside containers and raw files in one place

How we support Lua

Cloudsmith gives your team a fully managed LuaRocks repository with everything you need to publish, secure, and distribute Lua modules at any scale.
    Native LuaRocks tool support
    Install modules directly using the --server flag or configure your rocks_servers in the LuaRocks config file. Cloudsmith works with the tools your team already uses, with no custom clients required.
    Entitlement token and HTTP auth
    Private repositories on Cloudsmith support Entitlement Token Authentication and HTTP Basic Authentication, including API key and token variants, so credentials never appear in plain text.
    Global CDN delivery
    Your Lua modules are distributed via 600+ edge points of presence worldwide. Teams in any region pull dependencies at consistently low latency, with no infrastructure for you to manage.
    Vulnerability scanning and policy enforcement
    Cloudsmith scans every Lua module for CVEs and malware on upload. Build OPA Rego policies to quarantine or block packages automatically based on severity thresholds.
    Public and private repositories
    Create private repositories for internal Lua modules or public repositories for open source distribution. Cloudsmith's entitlement system gives you precise control over who can access what.

Why teams choose Cloudsmith for Lua

Managing Lua modules without a dedicated private registry creates fragile pipelines and security blind spots. Cloudsmith removes both.
Without CloudsmithTeams pull Lua modules directly from luarocks.org with no caching, so a registry outage or a yanked rock breaks every pipeline immediately.
With CloudsmithCloudsmith proxies and caches upstream sources, insulating your builds from public registry instability and delivering modules at CDN speed globally.
Without CloudsmithCredentials for private module sources are hardcoded in config files or shared informally, making secret rotation painful and audit trails nonexistent.
With CloudsmithCloudsmith's entitlement token system and HTTP Basic Auth options keep credentials scoped and revocable, with full audit logs of every pull and push.
Without CloudsmithThere is no automated check on the Lua modules entering the build. Vulnerable or compromised packages can reach production undetected.
With CloudsmithEvery module uploaded to Cloudsmith is automatically scanned for CVEs and malware. OPA Rego policies let you quarantine or block high-severity packages before they ship.

Signs you're ready to switch to Cloudsmith for Lua

If your current Lua module workflow relies on ad-hoc workarounds and manual processes, Cloudsmith gives you the structure, security, and speed to replace them.
    Pipelines break on upstream registry changes
    Depending directly on luarocks.org means any outage, rate limit, or yanked module can halt your builds. Cloudsmith acts as a resilient proxy with local caching, so your pipelines stay green regardless of what happens upstream.
    No visibility into what modules your teams are pulling
    Without a managed registry you have no audit trail of which Lua modules are being downloaded, by whom, or when. Cloudsmith gives you complete client logs and package insights across every repository.
    Security scanning is manual or missing entirely
    Manually reviewing CVEs across Lua dependencies does not scale. Cloudsmith scans every module on upload and surfaces vulnerabilities automatically, with policy enforcement to stop risky packages from reaching your teams.
    Slow dependency resolution for distributed teams
    Pulling modules from a single-region source introduces latency for engineers and CI runners in other geographies. Cloudsmith's 600+ edge PoPs ensure fast installs everywhere your team works.
    Access control is all-or-nothing
    Self-hosted or ad-hoc Lua registries rarely support fine-grained permissions. Cloudsmith gives you entitlement tokens, team-level RBAC, and SSO integration so access matches your org structure exactly.

Get started with Lua on Cloudsmith

Frequently asked questions

  1. Use the --server flag with luarocks install, passing your Cloudsmith repository URL including your entitlement token or HTTP Basic Auth credentials. You can also persist the server in your LuaRocks config file under rocks_servers so you do not need to specify it on every command.

  2. The native luarocks upload command only supports uploading to the official public luarocks.org repository. To push modules to Cloudsmith, use the Cloudsmith CLI, the Cloudsmith web app, or the Cloudsmith REST API. All three methods support rockspec, source rock, and binary rock file types.

  3. Cloudsmith supports Entitlement Token Authentication and HTTP Basic Authentication for private Lua repositories. Basic Auth works with your username and password, your username and API key, or a token credential pair. Credentials should always be treated as secrets and kept out of source control.

  4. Yes. Every package uploaded to Cloudsmith, including Lua rocks, is scanned for CVEs and malware automatically. You can configure OPA Rego policies to quarantine or block packages based on vulnerability severity, ensuring no high-risk dependency reaches your build pipeline undetected.

  5. Yes. Cloudsmith supports both public and private repositories. Public repositories are accessible without credentials and are suitable for open source Lua modules. Private repositories require authentication and give you full control over who can push or pull packages via entitlements and team permissions.

  6. Yes. Cloudsmith acts as an upstream proxy for public Lua registries, caching modules locally. This insulates your builds from public registry outages, rate limits, and yanked packages, while also speeding up installs by serving cached modules from the nearest edge location.

  7. Cloudsmith delivers packages through a CDN backed by 600+ points of presence worldwide. Engineers and CI runners in any region pull Lua modules from the nearest edge node, reducing latency and ensuring consistent build performance regardless of geography.

  8. Yes. All Cloudsmith repositories are multi-format. You can store Lua rocks, Docker images, Python packages, Debian packages, and 30+ other formats in the same repository, giving your team a single source of truth for all software artifacts.

  9. You can upload existing rock files directly using the Cloudsmith CLI, the web app, or the API. The CLI accepts rockspec, source rock, and binary rock files. Cloudsmith's support team is also available to help plan and execute larger migrations.

  10. Yes. Cloudsmith supports SAML SSO with providers including Okta, Microsoft Entra ID, Google, JumpCloud, PingIdentity, and OneLogin. SCIM is also supported for automated user provisioning and de-provisioning, so access to your Lua repositories stays in sync with your identity provider.

Formats

There’s more than just Lua on Cloudsmith