Formats/NuGet

Your private NuGet feed, fully managed on Cloudsmith

Cloudsmith gives your .NET teams a secure, highly available private NuGet feed with built-in security scanning, upstream proxying, and native signing support. Push and pull with standard tooling, enforce policies across every package, and stop depending on public registries for build reliability.

Universal format support

One home for NuGet and every other format your teams rely on.

  • Use NuGet + 30 other formats
  • Store NuGet packages alongside Docker containers and raw binaries
  • Manage internal libraries and open-source dependencies from a single registry

How we support NuGet

Cloudsmith gives .NET teams a fully managed private NuGet feed with the security controls, performance, and reliability that public registries cannot provide.
    Full NuGet v3 feed support
    Cloudsmith exposes a standards-compliant NuGet v3 feed endpoint. Configure it as a source in the NuGet CLI, .NET Core CLI, Visual Studio Package Manager, or Paket without any changes to your existing workflow.
    Native package signing
    Cloudsmith natively signs all NuGet packages using an X.509 certificate so consumers can verify repository signatures directly in the NuGet CLI. Author signatures are countersigned automatically on upload.
    Vulnerability scanning
    Every NuGet package uploaded to Cloudsmith is scanned for known vulnerabilities. Pair scanning with OPA Rego policies to quarantine or block packages that fail your security thresholds before they reach developers.
    Upstream proxying and caching
    Proxy NuGet.org and other upstream feeds through Cloudsmith to eliminate single points of failure in your CI pipelines. Cached packages are served from Cloudsmith's global CDN for fast, reliable restores regardless of upstream availability.
    Entitlement token and API key auth
    Secure private NuGet feeds with entitlement token authentication or HTTP Basic auth using API keys. Tokens scope access per repository, giving you fine-grained control over who can push or pull packages.

Why teams choose Cloudsmith for NuGet

Relying on NuGet.org directly and managing private feeds ad hoc creates fragile pipelines, security blind spots, and governance gaps that grow with your team. Cloudsmith replaces that chaos with a single, controlled source of truth.
Without CloudsmithBuilds break whenever NuGet.org is slow or unreachable. Every pipeline is a direct dependency on a public registry your team does not control.
With CloudsmithCloudsmith proxies and caches NuGet.org so your builds restore from a private, CDN-backed feed. Upstream downtime no longer blocks your CI pipelines.
Without CloudsmithVersion conflicts and unreviewed packages slip into builds because there is no central policy enforcement. Teams publish directly to shared feeds with no promotion process.
With CloudsmithOPA Rego policies enforce package standards across every repository. Promotion workflows move packages from dev to test to production with full auditability and no manual intervention.
Without CloudsmithSecurity scanning is manual or non-existent. A vulnerable dependency can reach production before anyone notices, and there is no quarantine mechanism to stop it.
With CloudsmithCloudsmith scans every uploaded NuGet package for known vulnerabilities and applies policy rules automatically. Packages that fail your thresholds are quarantined before they are available to developers.

Signs you're ready to switch to Cloudsmith for NuGet

Most teams hit the limits of self-hosted feeds or direct NuGet.org reliance as they scale. If any of these sound familiar, Cloudsmith is the upgrade your workflow needs.
    CI pipelines break on upstream outages
    NuGet.org downtime or rate limiting halts your builds. Cloudsmith proxies and caches upstream feeds so your pipelines keep running regardless of public registry availability.
    No visibility into vulnerable dependencies
    Packages land in builds without any security review. Cloudsmith scans every NuGet package on upload and gives you automated quarantine policies to stop vulnerable artifacts before they reach developers.
    Version chaos across projects
    Different teams pin different versions of the same package, leading to conflicts and unreproducible builds. Cloudsmith centralises your NuGet feed so version governance is consistent across every project.
    Self-hosted feed infrastructure is a burden
    Running your own NuGet server means managing uptime, storage, and patching. Cloudsmith is fully managed, so you get SLA-backed availability without any operational overhead.
    NuGet is just one of many formats you need to manage
    Your teams ship Docker images, Python wheels, and raw binaries alongside .NET packages. Cloudsmith consolidates every format into a single registry so you stop juggling separate tools and access controls.

Get started with NuGet on Cloudsmith

Frequently asked questions

  1. Yes. Cloudsmith exposes a fully compliant NuGet v3 feed endpoint that works with the NuGet CLI, .NET Core CLI, Visual Studio Package Manager, Paket, and any other tool that supports the standard NuGet v3 service index.

  2. Yes. Cloudsmith NuGet feeds are fully compatible with Chocolatey. Chocolatey packages are an enhanced NuGet format, and from Chocolatey v2.0.0 onwards, NuGet v3 feeds are supported as sources.

  3. Cloudsmith supports both entitlement token authentication and HTTP Basic authentication using your username and API key. Entitlement tokens can be scoped per repository, giving you fine-grained control over read and write access.

  4. Yes. Cloudsmith natively signs all NuGet packages using an X.509 certificate issued by its own Certificate Authority. If a package already has an author signature, Cloudsmith countersigns it. Consumers can verify signatures using the NuGet CLI.

  5. Yes. Cloudsmith's upstream proxying feature lets you configure NuGet.org or any other NuGet feed as an upstream source. Packages are cached on first request, protecting your builds from upstream downtime and rate limits.

  6. Every NuGet package uploaded to Cloudsmith is automatically scanned for known vulnerabilities. You can pair scanning results with OPA Rego policies to quarantine or reject packages that exceed your risk thresholds before they are available to developers.

  7. Yes. Each Cloudsmith repository can be configured as a NuGet Symbol Server in Visual Studio. It stores and serves PDB files and source files so developers can step through compiled library code during debugging.

  8. You can upload existing packages to Cloudsmith using the Cloudsmith CLI or the web app, then update your NuGet source configuration to point at your new Cloudsmith feed endpoint. Cloudsmith's contextual setup instructions include pre-configured copy-paste commands for each repository.

  9. Yes. Cloudsmith repositories are multi-format, so you can store NuGet packages, Docker images, npm packages, and more in a single repository. This simplifies access control and lets teams centralise all their artifacts in one place.

  10. When using the native NuGet CLI to publish, the per-package file limit is 200 MiB. When uploading via the Cloudsmith CLI, the limit increases to 5 GiB, which accommodates large symbol packages or packages with embedded binaries.

Formats

There’s more than just NuGet on Cloudsmith