---
title: "Bitbucket Pipelines Integration | Cloudsmith"
description: "Publish packages from Bitbucket Pipelines to Cloudsmith with the official Cloudsmith pipe. Secure artifact storage, multi-format support, and full pipeline traceability."
canonical_url: "https://cloudsmith.com/product/integrations/bitbucket-pipelines"
last_updated: "2026-05-07T10:46:33Z"
---
# Bitbucket Pipelines Integration | Cloudsmith

## Publish artifacts to Cloudsmith directly from **Bitbucket Pipelines**

Cloudsmith provides an officially maintained Bitbucket pipe that drops straight into your existing pipeline YAML. Authenticate once with an API key, declare your format and repository, and every tagged build pushes your artifacts to Cloudsmith automatically - no custom scripts, no manual uploads.

Product / Integrations

## Bitbucket CI/CD Integration

Bitbucket CI/CD is a continuous integration and continuous delivery tool integrated with Bitbucket. Bitbucket CI/CD can be integrated with Cloudsmith, allowing you to push packages to Cloudsmith as part of your CI/CD pipeline

## How we support **Bitbucket Pipelines**

Cloudsmith gives Bitbucket teams a secure, managed artifact registry that integrates natively into your pipeline YAML - so every build produces a traceable, policy-governed package.

[Read our Bitbucket Pipelines documentation](https://docs.cloudsmith.com/integrations/integrating-with-bitbucket-pipelines)

### Official Cloudsmith Publish pipe

The Cloudsmith Publish pipe is part of Bitbucket's collection of officially maintained pipes. Add it to your bitbucket-pipelines.yml with a single block and start publishing to Cloudsmith immediately.

### Multi-format artifact publishing

Publish Python, npm, Docker, Maven, Debian, NuGet, and 30+ other formats from your Bitbucket pipeline. One pipe, one repository, all your artifact types.

### Secure API key authentication

Store your Cloudsmith API key as a secure Bitbucket pipeline variable. It stays out of logs and is injected at runtime, keeping credentials safe across all your repositories.

### Full package traceability

Every package pushed from Bitbucket Pipelines is logged in Cloudsmith's audit trail. You get a complete provenance record linking each artifact back to the pipeline run that produced it.

### Policy enforcement on every publish

Cloudsmith applies vulnerability scanning, license checks, and OPA Rego policies the moment a package lands. Pipelines that push non-compliant artifacts are caught before the package reaches downstream consumers.

## Why teams integrate Cloudsmith with **Bitbucket Pipelines**

Without a dedicated artifact registry, Bitbucket teams lose visibility, accumulate security debt, and burn build minutes on fragile custom upload scripts. Cloudsmith closes every one of those gaps.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Teams write and maintain custom shell scripts to push artifacts to S3 buckets or ad-hoc registries. These scripts break silently on format changes and are never documented, creating fragile pipelines that block releases. | The official Cloudsmith pipe replaces all custom upload logic with a single declarative block. It is maintained by the Cloudsmith team, versioned, and works across every supported format without any custom scripting. |

| Bitbucket build minutes are wasted re-downloading public dependencies or re-uploading artifacts because there is no central, trusted store. Teams have no visibility into which artifact version is running in which environment. | Cloudsmith stores every published artifact with full metadata and an audit trail. You can see exactly which pipeline run produced each package and trace it through development, staging, and production without extra tooling. |

| API keys for artifact registries are often stored as plaintext in pipeline YAML files or shared across repositories, creating a broad attack surface with no way to rotate or scope credentials quickly. | Cloudsmith API keys are stored as secure Bitbucket pipeline variables and never appear in logs. Service accounts let you scope access per repository, and entitlement tokens provide fine-grained download control for downstream consumers. |

## Frequently asked questions

### How do I add the Cloudsmith pipe to my Bitbucket pipeline?

Add the pipe as a step in your bitbucket-pipelines.yml file using the cloudsmith-io/publish identifier. You specify your Cloudsmith repository, API key variable, package format, and package path. The pipe is available by default in all Bitbucket workspaces with no installation required.

### Which package formats can I publish from Bitbucket Pipelines?

Cloudsmith supports over 30 package formats including Python, npm, Docker, Maven, Debian, RPM, NuGet, Helm, Cargo, and more. You specify the format using the PACKAGE_FORMAT variable in the pipe configuration, and Cloudsmith handles indexing and serving.

### How do I authenticate the Cloudsmith pipe securely?

Store your Cloudsmith API key as a secured repository or workspace variable named CLOUDSMITH_API_KEY in Bitbucket. Secured variables are masked in logs and injected at runtime. For tighter scoping, create a Cloudsmith service account with only the permissions your pipeline needs.

### Is the Cloudsmith pipe officially maintained?

Yes. The Cloudsmith Publish pipe is part of Bitbucket's officially maintained pipes collection. It is maintained by the Cloudsmith team and updated as new features and format support are added to the platform.

### Can I use the Cloudsmith CLI instead of the pipe?

Yes. If you prefer more control, install the Cloudsmith CLI in your pipeline step and use cloudsmith push commands directly. This approach works for all formats and gives you access to advanced options like tagging, retention overrides, and bulk uploads.

### Does Cloudsmith scan packages pushed from Bitbucket Pipelines?

Yes. Every package uploaded to Cloudsmith is automatically scanned for vulnerabilities and evaluated against your active policies. You can configure Cloudsmith to quarantine or block packages that fail checks before they become available to downstream consumers.

### Can I use Cloudsmith across multiple Bitbucket workspaces or repositories?

Yes. Cloudsmith repositories are independent of your Bitbucket workspace structure. You can publish from any number of Bitbucket repositories to the same Cloudsmith repository, or route artifacts to separate repositories based on team, environment, or format.

### How do I track which pipeline run produced a specific package?

Cloudsmith records metadata for every uploaded package including the upload source, timestamp, and user or service account that performed the action. You can query this via the Cloudsmith UI, API, or audit logs to build a full provenance trail from pipeline run to deployed artifact.

### Does Cloudsmith support Bitbucket Pipelines deployment environments?

Yes. You can mirror Bitbucket's environment stages in Cloudsmith by using separate repositories for development, staging, and production. Packages can be promoted between Cloudsmith repositories without re-uploading, preserving artifact integrity and keeping bandwidth costs low.

### Where can I find the full Cloudsmith Bitbucket Pipelines documentation?

Full setup instructions, YAML examples, and configuration options are available at docs.cloudsmith.com under the Bitbucket Pipelines integration guide. The official pipe README on Bitbucket also includes variable references and worked examples for common formats.
