Formats/Maven

Secure, fast, hosted Maven repository management

Cloudsmith gives your Java and JVM teams a fully managed Maven repository with native tooling support, upstream proxying from Maven Central, vulnerability scanning, and fine-grained access control. Stop wrestling with self-hosted infrastructure and start shipping with confidence.

Universal format support

One place for every artifact. Cloudsmith is a secure, centrally managed store for all your Maven packages and software assets.

  • Use Maven + 30 other formats
  • Proxy and cache Maven Central to eliminate rate-limit failures and reduce build times
  • Manage JARs, POMs, SNAPSHOTs, and release artifacts alongside containers and raw files

How we support Maven

Cloudsmith gives your JVM teams a production-grade Maven repository with the security controls, performance, and multi-format flexibility that self-hosted solutions can't match.
    Full Maven repository support
    Push and pull JARs, POMs, SNAPSHOTs, and release artifacts using Maven's native tooling. Cloudsmith works with Maven Publish, the Cloudsmith CLI, and the REST API without any special plugins.
    Upstream proxying and caching
    Proxy Maven Central and other upstream registries through Cloudsmith. Cache resolved artifacts locally to eliminate rate-limit failures, reduce redundant downloads, and keep builds fast even when upstream is unavailable.
    Vulnerability scanning and policy enforcement
    Scan every uploaded artifact for CVEs and malware. Use OPA Rego-based policy rules to automatically quarantine, block, or flag packages that violate your security and compliance standards before they reach developers.
    Granular access control
    Create public or private repositories and manage exactly who can push, pull, or administer them. SAML/SSO, SCIM provisioning, OIDC, and entitlement tokens give you enterprise-grade identity and access management out of the box.
    Multi-format repositories
    Store Maven packages alongside Docker images, Helm charts, Python packages, and 30+ other formats in a single repository. Consolidate your artifact management without reorganising your teams.

Why teams choose Cloudsmith for Maven

From Maven Central rate limits to fragile self-hosted Nexus or Artifactory setups, teams hit the same walls. Cloudsmith removes them.
Without CloudsmithBuilds fail or slow to a crawl when Maven Central rate-limits your CI pipelines, and there is no reliable fallback when the upstream is unavailable.
With CloudsmithCloudsmith proxies and caches Maven Central so your pipelines resolve artifacts from a nearby, fully managed cache. Rate limits and upstream outages stop affecting your builds.
Without CloudsmithSelf-hosted Nexus or Artifactory instances require dedicated infrastructure, ongoing patching, and specialist knowledge to keep running. Any downtime blocks every team that depends on them.
With CloudsmithCloudsmith is fully managed with 99.9%+ uptime SLAs, automatic upgrades, and global CDN-backed delivery. You get the reliability of enterprise infrastructure without the operational burden.
Without CloudsmithVulnerable JARs and transitive dependencies flow freely into builds because there are no automated checks or policy gates on what gets published or consumed.
With CloudsmithEvery artifact is scanned for CVEs on upload. Policy rules automatically quarantine or block packages that fail your security thresholds before they can reach a developer or a production build.

Signs you're ready to switch to Cloudsmith for Maven

If your current Maven setup is slowing teams down or creating security blind spots, Cloudsmith is the purpose-built upgrade.
    Maven Central rate limits are hitting your CI
    When 429 errors start appearing in your pipelines, a managed proxy and cache is the fix. Cloudsmith absorbs those limits so your builds never see them.
    Your self-hosted repository is a maintenance burden
    Running Nexus or Artifactory in-house means patching, scaling, and babysitting infrastructure. Cloudsmith gives you the same capabilities, fully managed, so your engineers can focus on software.
    You have no visibility into what's in your JARs
    If you can't answer what CVEs are in your Maven dependencies right now, you need automated scanning. Cloudsmith scans every artifact on upload and surfaces vulnerabilities before they become incidents.
    Your teams use more than just Maven
    Separate repositories for Docker, npm, Python, and Maven create fragmented tooling and inconsistent controls. Cloudsmith unifies all formats in one platform with consistent access, policy, and observability.
    Access control is too coarse or too manual
    If you're managing repository credentials by hand or sharing a single API key across teams, Cloudsmith's SAML/SSO, SCIM, and OIDC integration gives you the fine-grained, auditable access control enterprises need.

Get started with Maven on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith provides a fully compatible Maven repository endpoint. You configure your pom.xml distributionManagement and settings.xml server credentials exactly as you would with any standard Maven repository. No custom plugins or wrappers are required.

  2. Yes. You can configure Maven Central (or any other upstream Maven registry) as an upstream source in Cloudsmith. Cloudsmith will proxy requests and cache resolved artifacts so your builds are protected from upstream rate limits, outages, and evictions.

  3. Yes. Cloudsmith supports Maven SNAPSHOT semantics. You can publish and resolve SNAPSHOT artifacts using standard Maven tooling, and your clients will always pick up the latest SNAPSHOT version uploaded for a given coordinate.

  4. Every artifact uploaded to Cloudsmith is scanned for CVEs and malware. You can configure policy rules to automatically quarantine or block packages that exceed your vulnerability thresholds, preventing unsafe dependencies from reaching your build pipelines.

  5. Yes. Cloudsmith provides import tooling and documentation to help you migrate existing Maven artifacts from Nexus Sonatype and JFrog Artifactory. Your existing pom.xml repository URLs simply need to point to your new Cloudsmith endpoint.

  6. Cloudsmith supports API key authentication via standard Maven settings.xml server configuration. For team and enterprise access, you can use SAML/SSO, SCIM provisioning, OIDC tokens, and entitlement tokens for fine-grained, auditable access control.

  7. Yes. Every Cloudsmith repository is multi-format. You can store Maven JARs alongside Docker images, Helm charts, npm packages, Python wheels, and 30+ other formats in the same repository, with consistent access controls and policy enforcement across all of them.

  8. Maven's toolchain supports encrypted credentials in settings.xml, and you can also inject credentials from environment variables so they never appear in configuration files. Cloudsmith's API keys and entitlement tokens should be treated as secrets and stored in your CI/CD secret manager.

  9. Yes. Because Gradle and sbt both support the Maven repository protocol, they work natively with Cloudsmith's Maven endpoint. Cloudsmith also has dedicated documentation for Gradle and sbt repository configuration.

  10. Yes. You can create public repositories for open-source distribution or private repositories with full access control for internal packages. Entitlement tokens let you share specific private packages with external parties without exposing your entire repository.

Formats

There’s more than just Maven on Cloudsmith