---
title: "Private LuaRocks Repository | Cloudsmith"
description: "Host private Lua modules on Cloudsmith. Global CDN delivery, vulnerability scanning, entitlement token auth, and native LuaRocks tool support. Get started today."
canonical_url: "https://cloudsmith.com/product/formats/luarocks-repository"
last_updated: "2026-05-06T20:08:23Z"
---
# Private LuaRocks Repository | Cloudsmith

## Secure, private **Lua** module hosting for your entire team

Cloudsmith gives your team a fully managed LuaRocks repository with global distribution, fine-grained access control, and built-in vulnerability scanning. Push and pull modules using native tools, with zero infrastructure to operate.

## Create your own Private LuaRocks Repository with Cloudsmith

LuaRocks is the package manager for the Lua programming language, allowing your developers and services to easily install, manage, and share Lua modules and applications. Cloudsmith is the perfect place to store, manage and distribute Lua modules so that your teams and services can build efficiently and consistently - worldwide

Universal format support

## **Centralize your Lua modules.** Cloudsmith is a secure, managed store for all your packages and artifacts.

- Use Lua + 30 other formats in a single repository
- Store and distribute rockspec, source, and binary rocks together
- Manage Lua modules alongside containers and raw files in one place

## How we support **Lua**

Cloudsmith gives your team a fully managed LuaRocks repository with everything you need to publish, secure, and distribute Lua modules at any scale.

[Read our Lua documentation](https://docs.cloudsmith.com/formats/luarocks-repository)

### Native LuaRocks tool support

Install modules directly using the --server flag or configure your rocks_servers in the LuaRocks config file. Cloudsmith works with the tools your team already uses, with no custom clients required.

### Entitlement token and HTTP auth

Private repositories on Cloudsmith support Entitlement Token Authentication and HTTP Basic Authentication, including API key and token variants, so credentials never appear in plain text.

### Global CDN delivery

Your Lua modules are distributed via 600+ edge points of presence worldwide. Teams in any region pull dependencies at consistently low latency, with no infrastructure for you to manage.

### Vulnerability scanning and policy enforcement

Cloudsmith scans every Lua module for CVEs and malware on upload. Build OPA Rego policies to quarantine or block packages automatically based on severity thresholds.

### Public and private repositories

Create private repositories for internal Lua modules or public repositories for open source distribution. Cloudsmith's entitlement system gives you precise control over who can access what.

## Why teams choose Cloudsmith for **Lua**

Managing Lua modules without a dedicated private registry creates fragile pipelines and security blind spots. Cloudsmith removes both.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Teams pull Lua modules directly from luarocks.org with no caching, so a registry outage or a yanked rock breaks every pipeline immediately. | Cloudsmith proxies and caches upstream sources, insulating your builds from public registry instability and delivering modules at CDN speed globally. |

| Credentials for private module sources are hardcoded in config files or shared informally, making secret rotation painful and audit trails nonexistent. | Cloudsmith's entitlement token system and HTTP Basic Auth options keep credentials scoped and revocable, with full audit logs of every pull and push. |

| There is no automated check on the Lua modules entering the build. Vulnerable or compromised packages can reach production undetected. | Every module uploaded to Cloudsmith is automatically scanned for CVEs and malware. OPA Rego policies let you quarantine or block high-severity packages before they ship. |

## Signs you're ready to switch to Cloudsmith for **Lua**

If your current Lua module workflow relies on ad-hoc workarounds and manual processes, Cloudsmith gives you the structure, security, and speed to replace them.

[Book a demo with one of our experts](/book-a-demo)

### Pipelines break on upstream registry changes

Depending directly on luarocks.org means any outage, rate limit, or yanked module can halt your builds. Cloudsmith acts as a resilient proxy with local caching, so your pipelines stay green regardless of what happens upstream.

### No visibility into what modules your teams are pulling

Without a managed registry you have no audit trail of which Lua modules are being downloaded, by whom, or when. Cloudsmith gives you complete client logs and package insights across every repository.

### Security scanning is manual or missing entirely

Manually reviewing CVEs across Lua dependencies does not scale. Cloudsmith scans every module on upload and surfaces vulnerabilities automatically, with policy enforcement to stop risky packages from reaching your teams.

### Slow dependency resolution for distributed teams

Pulling modules from a single-region source introduces latency for engineers and CI runners in other geographies. Cloudsmith's 600+ edge PoPs ensure fast installs everywhere your team works.

### Access control is all-or-nothing

Self-hosted or ad-hoc Lua registries rarely support fine-grained permissions. Cloudsmith gives you entitlement tokens, team-level RBAC, and SSO integration so access matches your org structure exactly.

## Get started with **Lua** on Cloudsmith

[Book a demo](/book-a-demo)

[View pricing](/pricing)

## Frequently asked questions

### How do I install a Lua module from a private Cloudsmith repository?

Use the <code>--server</code> flag with luarocks install, passing your Cloudsmith repository URL including your entitlement token or HTTP Basic Auth credentials. You can also persist the server in your LuaRocks config file under <code>rocks_servers</code> so you do not need to specify it on every command.

### Can I upload Lua modules using the native luarocks upload command?

The native luarocks upload command only supports uploading to the official public luarocks.org repository. To push modules to Cloudsmith, use the Cloudsmith CLI, the Cloudsmith web app, or the Cloudsmith REST API. All three methods support rockspec, source rock, and binary rock file types.

### What authentication options does Cloudsmith support for Lua repositories?

Cloudsmith supports Entitlement Token Authentication and HTTP Basic Authentication for private Lua repositories. Basic Auth works with your username and password, your username and API key, or a token credential pair. Credentials should always be treated as secrets and kept out of source control.

### Does Cloudsmith scan Lua modules for vulnerabilities?

Yes. Every package uploaded to Cloudsmith, including Lua rocks, is scanned for CVEs and malware automatically. You can configure OPA Rego policies to quarantine or block packages based on vulnerability severity, ensuring no high-risk dependency reaches your build pipeline undetected.

### Can I host both public and private Lua repositories on Cloudsmith?

Yes. Cloudsmith supports both public and private repositories. Public repositories are accessible without credentials and are suitable for open source Lua modules. Private repositories require authentication and give you full control over who can push or pull packages via entitlements and team permissions.

### Can Cloudsmith proxy and cache modules from luarocks.org?

Yes. Cloudsmith acts as an upstream proxy for public Lua registries, caching modules locally. This insulates your builds from public registry outages, rate limits, and yanked packages, while also speeding up installs by serving cached modules from the nearest edge location.

### How does Cloudsmith handle Lua module distribution across global teams?

Cloudsmith delivers packages through a CDN backed by 600+ points of presence worldwide. Engineers and CI runners in any region pull Lua modules from the nearest edge node, reducing latency and ensuring consistent build performance regardless of geography.

### Can I store other package formats alongside my Lua modules in Cloudsmith?

Yes. All Cloudsmith repositories are multi-format. You can store Lua rocks, Docker images, Python packages, Debian packages, and 30+ other formats in the same repository, giving your team a single source of truth for all software artifacts.

### How do I migrate existing Lua modules to Cloudsmith?

You can upload existing rock files directly using the Cloudsmith CLI, the web app, or the API. The CLI accepts rockspec, source rock, and binary rock files. Cloudsmith's support team is also available to help plan and execute larger migrations.

### Does Cloudsmith support SAML SSO and SCIM for Lua repository access?

Yes. Cloudsmith supports SAML SSO with providers including Okta, Microsoft Entra ID, Google, JumpCloud, PingIdentity, and OneLogin. SCIM is also supported for automated user provisioning and de-provisioning, so access to your Lua repositories stays in sync with your identity provider.
