Formats/Raw and Generic Artifacts

One repository for every artifact, not just packages

Cloudsmith provides a single control point for your entire software supply chain. While we support more than 30 native formats, modern pipelines often rely on assets that fall outside standard ecosystems, like vendor installers, release binaries, or custom scripts. Cloudsmith is the single home for all of these assets, bringing them under the same security and visibility as the rest of your software.

Universal artifact support

Every artifact type, one platform. Cloudsmith stores packages, containers, binaries, and raw files — including assets that fall outside standard ecosystems.

  • Use Raw Artifacts + 30 other package formats
  • Store ML models, datasets, and raw files alongside language packages
  • Distribute vendor binaries, custom installers, and release assets with full access control

How we support Raw and Generic Artifacts

Modern pipelines rely on assets that fall outside standard ecosystems. Cloudsmith gives every team a single home for those assets, with the same security and visibility as the rest of your software.
    Store any file, any extension
    Raw repositories accept any file type with no format restrictions. Upload vendor installers, firmware images, ML model weights, datasets, custom scripts, or release bundles and serve them through a private, versioned endpoint.
    Proxy and cache external HTTP sources
    Generic repositories let Cloudsmith fetch and cache artifacts from external HTTP or HTTPS sources. Your pipelines always pull from a stable internal endpoint, even when upstream content changes or disappears.
    Consistent security across every asset
    Apply the same access controls, OIDC authentication, OPA Rego policies, and audit logs to raw files as you do to NPM packages or Docker images. No second-class assets.
    Multi-format repositories
    Store raw files and package formats in the same repository. Organise by team, project, or environment without spinning up separate tooling for non-standard assets.
    CDN-backed global distribution
    Cloudsmith serves all artifacts, including large raw files, through 600+ edge points of presence. Teams anywhere in the world download from the nearest location automatically.

Why teams choose Cloudsmith for Raw and Generic Artifacts

Vendor installers, release binaries, and custom scripts don't fit neatly into standard package ecosystems. Without a proper home, they end up scattered across S3 buckets, shared drives, and ad-hoc storage. Cloudsmith consolidates everything.
Without CloudsmithRaw files live in S3 buckets or shared drives with no versioning, no audit trail, and inconsistent access controls. Engineers have no idea what version of a binary is in production.
With CloudsmithEvery raw file is versioned, audited, and served from a private endpoint with the same RBAC and token-based auth you use for all other formats. Full traceability, no guesswork.
Without CloudsmithPipelines pull directly from external HTTP sources, GitHub releases, or vendor CDNs. When upstream content moves or disappears, builds break and teams scramble.
With CloudsmithGeneric repositories proxy and cache external sources inside Cloudsmith. Your pipelines always pull from a stable internal URL, with no exposure to upstream outages or changes.
Without CloudsmithCompliance teams have no visibility into custom binaries, vendor installers, or proprietary assets. Security scanning and policy enforcement only cover package-format artifacts.
With CloudsmithRaw and Generic repositories are first-class citizens in Cloudsmith. Vulnerability scanning, OPA Rego policies, and client logs cover every file type, keeping compliance teams confident.

Signs you're ready to switch to Cloudsmith for Raw and Generic Artifacts

If assets that fall outside standard ecosystems live in a different system from your packages, you don't have a single source of truth. Cloudsmith is the single home for all your software assets.
    Your binaries live outside your artifact manager
    If raw files, firmware images, or ML model weights are sitting in S3 or a shared drive, they lack the access controls and audit trails your security team requires. Cloudsmith brings them under the same governance as your packages.
    Upstream outages break your builds
    Pulling vendor binaries or GitHub releases directly into CI makes your pipeline fragile. Cloudsmith's Generic repositories cache those assets internally so upstream changes never reach your build.
    Security policies don't cover non-package assets
    OPA Rego policies and vulnerability scanning should apply to every artifact, not just NPM or Maven packages. Cloudsmith enforces consistent policy across raw files and generic artifacts too.
    Distributing to partners is manual and fragile
    Emailing installers or sharing S3 pre-signed URLs doesn't scale. Cloudsmith gives partners a versioned, authenticated endpoint with EULA gating and download tracking built in.
    You're running separate tools for each asset type
    A dedicated registry for packages, another for containers, and ad-hoc storage for everything else creates operational overhead and visibility gaps. Cloudsmith consolidates all formats, including raw files, in one platform.

Get started with Raw Artifacts on Cloudsmith

Frequently asked questions

  1. Any file type, with no restrictions on extension or format. Raw repositories are designed for arbitrary binary assets, including firmware images, vendor installers, ML model weights, datasets, custom scripts, compiled executables, and more.

  2. Raw repositories are for direct upload and distribution of files you own and manage. Generic repositories are for proxying and caching artifacts from external HTTP or HTTPS sources, such as GitHub releases or vendor download pages, bringing them into your controlled Cloudsmith environment.

  3. Yes. Cloudsmith supports multi-format repositories, so you can store NPM packages, Docker images, Python wheels, and raw binary files all within the same repository. This is central to Cloudsmith's role as a single source of truth for all software artifacts.

  4. Cloudsmith supports API key authentication, OIDC-based keyless auth for CI/CD pipelines, and entitlement tokens for downstream distribution. The same authentication mechanisms that apply to package formats also apply to raw and generic artifacts.

  5. Yes. OPA Rego policies can be applied to any artifact type in Cloudsmith, including raw files. While file-level vulnerability scanning requires format-specific metadata, access policies, quarantine rules, and audit logging all apply consistently to raw and generic artifacts.

  6. Yes. Generic repositories act as a caching proxy for external HTTP or HTTPS sources. Once configured, your pipelines pull from a stable Cloudsmith endpoint rather than the upstream source. If the upstream changes or goes down, your pipelines continue to work.

  7. Every file uploaded to a Raw repository is stored with version metadata. You can query specific versions via the API or CLI, and all uploads are tracked in the audit log so you know exactly who uploaded what, and when.

  8. Yes. Cloudsmith supports entitlement tokens and EULA gating for downstream distribution. You can issue scoped tokens to partners or customers with read-only access, require EULA acceptance before download, and track all download activity through client logs.

  9. S3 and shared drives provide storage but lack versioning, fine-grained access control, audit logging, and policy enforcement that artifact management demands. Cloudsmith wraps the same underlying durability with a purpose-built artifact management layer, including RBAC, token auth, OPA Rego policies, and a full audit trail.

  10. You can create a Raw or Generic repository directly from the Cloudsmith dashboard or via the API. Full setup guides, CLI instructions, and configuration examples are available in the Cloudsmith documentation at docs.cloudsmith.com.

Formats

There’s more than just Raw and Generic Artifacts on Cloudsmith