Make the secure path the default path

Chainguard provides hardened, low-to-no-CVE containers and a secure catalog of language dependencies with signed provenance, SBOMs, and minimal attack surface. Cloudsmith is the policy-driven control plane that standardizes how those artifacts are managed, distributed, and traced.

Securing the software supply chain is a sourcing problem and a distribution problem.

Hardened, verified artifacts are only effective when they're the ones developers and pipelines actually use. Closing that gap requires both the right artifacts and the controls that make them the default.
    Developer workflow and security policy need to point in the same direction
    Hardened, verified artifacts are only effective when they're the ones developers and pipelines actually use. When the secure path adds friction, teams find a faster one. Closing that gap requires both the right artifacts and the controls that make them the default.
    Enterprise-scale enforcement requires more than policy documentation
    Having clear standards for which dependencies are acceptable is the starting point. Enforcing them automatically across every team, every environment, at the speed modern development demands, is a different problem. It takes verified components and a governed distribution layer working together.
    Visibility into artifact consumption is the foundation of verifiable governance
    Knowing that the right components exist isn't the same as knowing they're being used. Verifiable governance means being able to see exactly what's being consumed and moved to production: by whom and from where, across direct and transitive dependencies alike.

Two platforms, one trusted path for secure software.

ChainguardSecure the starting point
CloudsmithStandardize the flow from source to pipeline
ChainguardAre my base images and libraries free of CVEs and built from a trusted source?
CloudsmithAre developers actually using those hardened versions – every time?
ChainguardProvides hardened containers, helm charts, language libraries and a secure catalog of language dependencies – with signed provenance, SBOMs, and near-zero CVEs. Continuously maintained and updated by Chainguard.
CloudsmithThe active control plane that enforces ingress rules, observes every consumption event, and standardizes how trusted artifacts move through the organization – with policy-as-code guardrails applied automatically across every team and environment.

From hardened source to governed pipeline

    Ingest and prioritize
    Chainguard containers and libraries are ingested into Cloudsmith and configured as the prioritized upstream source for your teams and build systems.
    Automatic routing to the hardened version
    When a developer or build pipeline requests a dependency, Cloudsmith serves the Chainguard version first, automatically, without any change to the developer workflow.
    Real-time policy enforcement
    Policy-as-code rules evaluate every artifact request in real time. Non-compliant dependencies are blocked before they reach a build. Developers receive clear, actionable guidance on what to do next.
    Full consumption traceability
    Cloudsmith records every artifact pull: which artifact was requested, which repository it came from, and which team initiated the request, giving security teams a single source of truth for tracking adoption across the organization.
    Global delivery
    Approved artifacts are delivered via Cloudsmith's global package delivery network: consistent, low-latency access for every developer and CI system, regardless of region.
    The result: security becomes proactive and integrated
    Security moves from passive and external to proactive, integrated, and automated. The secure path is also the default path, and the fast path.

What teams achieve with Chainguard and Cloudsmith

From verifiable adoption to automated governance and global delivery, the integration closes the gap between investing in secure components and being confident they're used.
    Verifiable adoption of hardened components
    • Hardened components are the default, not the exception
    • Dependency drift eliminated across teams and environments
    • Adoption measured with data
    Automated governance that scales with your teams
    • Compliance and security are automated at ingestion
    • Actionable developer feedback
    • Guardrails that stay current as risk profiles change
    The secure path is also the fast path
    • 600+ points of presence for low-latency delivery globally
    • Upstream resilience: cached artifacts available if the source goes down
    • Platform teams own policy, not infrastructure

Security built into the pipeline.

Chainguard eliminates CVEs and reduces attack surface at the point of creation. Cloudsmith standardizes how those artifacts are consumed across the organization. Together, they close the gap between investing in safe components and being confident they're used, at enterprise scale, without adding friction to the teams building your software.

Integrations

Discover more Cloudsmith Integrations