---
title: "Integrating Cloudsmith with Chainguard Images"
description: "Use Cloudsmith with Chainguard Images to securely distribute minimal, hardened container images across your software supply chain."
canonical_url: "https://cloudsmith.com/product/integrations/chainguard-images"
last_updated: "2026-07-01T11:56:50Z"
---
# Integrating Cloudsmith with Chainguard Images

## Make the secure path the **default path**

Chainguard provides hardened, low-to-no-CVE containers and a secure catalog of language dependencies with signed provenance, SBOMs, and minimal attack surface. Cloudsmith is the policy-driven control plane that standardizes how those artifacts are managed, distributed, and traced.

## Securing the software supply chain is a sourcing problem and a **distribution problem**.

Hardened, verified artifacts are only effective when they're the ones developers and pipelines actually use. Closing that gap requires both the right artifacts and the controls that make them the default.

### Developer workflow and security policy need to point in the same direction

Hardened, verified artifacts are only effective when they're the ones developers and pipelines actually use. When the secure path adds friction, teams find a faster one. Closing that gap requires both the right artifacts and the controls that make them the default.

### Enterprise-scale enforcement requires more than policy documentation

Having clear standards for which dependencies are acceptable is the starting point. Enforcing them automatically across every team, every environment, at the speed modern development demands, is a different problem. It takes verified components and a governed distribution layer working together.

### Visibility into artifact consumption is the foundation of verifiable governance

Knowing that the right components exist isn't the same as knowing they're being used. Verifiable governance means being able to see exactly what's being consumed and moved to production: by whom and from where, across direct and transitive dependencies alike.

## Two platforms, one trusted path for **secure software**.

| Chainguard | Cloudsmith |

| --- | --- |

| Secure the starting point | Standardize the flow from source to pipeline |

| Are my base images and libraries free of CVEs and built from a trusted source? | Are developers actually using those hardened versions – every time? |

| Provides hardened containers, helm charts, language libraries and a secure catalog of language dependencies – with signed provenance, SBOMs, and near-zero CVEs. Continuously maintained and updated by Chainguard. | The active control plane that enforces ingress rules, observes every consumption event, and standardizes how trusted artifacts move through the organization – with policy-as-code guardrails applied automatically across every team and environment. |

## From hardened source to **governed pipeline**

### Ingest and prioritize

Chainguard containers and libraries are ingested into Cloudsmith and configured as the prioritized upstream source for your teams and build systems.

### Automatic routing to the hardened version

When a developer or build pipeline requests a dependency, Cloudsmith serves the Chainguard version first, automatically, without any change to the developer workflow.

### Real-time policy enforcement

Policy-as-code rules evaluate every artifact request in real time. Non-compliant dependencies are blocked before they reach a build. Developers receive clear, actionable guidance on what to do next.

### Full consumption traceability

Cloudsmith records every artifact pull: which artifact was requested, which repository it came from, and which team initiated the request, giving security teams a single source of truth for tracking adoption across the organization.

### Global delivery

Approved artifacts are delivered via Cloudsmith's global package delivery network: consistent, low-latency access for every developer and CI system, regardless of region.


### The result: security becomes proactive and integrated

Security moves from passive and external to proactive, integrated, and automated. The secure path is also the default path, and the fast path.

## What teams achieve with **Chainguard and Cloudsmith**

From verifiable adoption to automated governance and global delivery, the integration closes the gap between investing in secure components and being confident they're used.

### Verifiable adoption of hardened components

- Hardened components are the default, not the exception
- Dependency drift eliminated across teams and environments
- Adoption measured with data 

### Automated governance that scales with your teams

- Compliance and security are automated at ingestion
- Actionable developer feedback
- Guardrails that stay current as risk profiles change

### The secure path is also the fast path

- 600+ points of presence for low-latency delivery globally
- Upstream resilience: cached artifacts available if the source goes down
- Platform teams own policy, not infrastructure

## Security built into the **pipeline**.

Chainguard eliminates CVEs and reduces attack surface at the point of creation. Cloudsmith standardizes how those artifacts are consumed across the organization. Together, they close the gap between investing in safe components and being confident they're used, at enterprise scale, without adding friction to the teams building your software.

[Book a demo](/book-a-demo)

[Watch our product tour](/product-tour)

[Read our Chainguard documentation](https://docs.cloudsmith.com/integrations/integrating-with-chainguard-images)

[Get hands on with a selection of Chainguard's free images](https://images.chainguard.dev/directory/category/free)
