---
title: "Chef Integration | Cloudsmith"
description: "Store, secure, and distribute Chef cookbooks from Cloudsmith. Fine-grained access control, vulnerability scanning, and global CDN delivery for your infrastructure automation pipelines."
canonical_url: "https://cloudsmith.com/product/integrations/chef"
last_updated: "2026-05-07T10:34:22Z"
---
# Chef Integration | Cloudsmith

## Manage and distribute cookbooks with **Chef** on Cloudsmith

Chef is a powerful infrastructure automation platform that lets teams define, configure, and manage IT resources as code using cookbooks and recipes. Cloudsmith gives you a secure, fully managed repository to store and distribute those cookbooks, with fine-grained access controls, vulnerability scanning, and a global CDN to serve artifacts to your nodes reliably wherever they run.

Product / Integrations

## Chef Integration

Chef is an infrastructure automation tool that allows organizations to define and manage their IT infrastructure as code. It provides a declarative language for defining infrastructure configuration, which enables organizations to automate the deployment and management of infrastructure resources across their entire IT stack. You can use Cloudsmith's Chef integration to deploy package from Cloudsmith to your infrastructure.

## How we support **Chef**

Cloudsmith gives Chef teams a secure, centralised home for cookbooks and infrastructure artifacts, with the controls and visibility your operations require.

[Read our Chef documentation](https://docs.cloudsmith.com/integrations/integrating-with-chef)

### Private cookbook repositories

Host your internal Chef cookbooks in private Cloudsmith repositories. Control exactly which teams and nodes can pull cookbook versions, keeping proprietary configuration logic off public registries.

### Vulnerability scanning and policy enforcement

Every cookbook and dependency pushed to Cloudsmith is scanned for vulnerabilities. Use OPA Rego policies to block non-compliant packages before they reach your Chef nodes.

### Global CDN delivery

Cloudsmith serves cookbooks from 600+ edge points of presence worldwide, so Chef clients converging across distributed data centres and cloud regions always pull from a nearby, low-latency source.

### Secure authentication with entitlement tokens

Use Cloudsmith entitlement tokens to authenticate Chef clients and Knife commands to your repositories. Tokens are scoped, rotatable, and never expose your main API key in cookbook configurations.

### Full audit trail and observability

Every cookbook push, pull, and policy event is logged. Query client logs via the Cloudsmith API or export raw log files to understand exactly which nodes are consuming which cookbook versions.

## Why teams integrate Cloudsmith with **Chef**

Centralising your cookbook storage in Cloudsmith removes the operational friction that slows down infrastructure automation and creates security blind spots.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Cookbooks are scattered across internal file shares, Chef Supermarket, and ad-hoc Git repos. Teams lack a consistent, versioned source of truth, and uploading broken cookbooks can silently override working versions across all nodes. | All cookbooks live in a single Cloudsmith repository with immutable versioning. Broken uploads are blocked before they reach the Chef server, and every version is preserved for safe rollback. |

| Chef clients pulling cookbooks over long distances experience slow convergence runs, increasing the time it takes to apply configuration changes across your node fleet. | Cloudsmith's global CDN delivers cookbooks from the edge closest to each node. Convergence runs complete faster and more reliably, whether your nodes are in a single region or spread across the globe. |

| API keys and credentials are hardcoded into Knife configs or shared across teams, making it difficult to rotate access or trace which pipeline or person published a cookbook. | Scoped entitlement tokens give each team or service account its own credential. Tokens are rotated independently, and every push and pull is tied to a specific identity in the audit log. |

## Frequently asked questions

### How do I configure Knife to push cookbooks to Cloudsmith?

You configure a Cloudsmith repository as your Knife target by setting your workspace, repository slug, and an entitlement token or API key in your knife.rb. The Cloudsmith docs provide copy-paste configuration snippets with your credentials pre-filled. Once configured, knife cookbook upload works as normal.

### Can Chef clients pull cookbooks from a private Cloudsmith repository?

Yes. Chef clients authenticate to Cloudsmith using an entitlement token embedded in the repository URL or passed as a header. Cloudsmith supports both token-based and API key authentication, and tokens can be scoped to read-only access so nodes cannot accidentally modify the repository.

### Does Cloudsmith scan cookbooks for vulnerabilities?

Yes. Cloudsmith scans packages for known vulnerabilities and can enforce OPA Rego policies that quarantine or block packages that fail your security criteria. You can configure the Block Until Scan feature to ensure no cookbook is served to nodes until all security and licence checks have completed.

### How does Cloudsmith help with cookbook version management across environments?

You can mirror your Chef environment promotion model in Cloudsmith by using separate repositories for development, staging, and production. Cloudsmith's package promotion moves a verified cookbook artifact between repositories without re-uploading, preserving its integrity and provenance trail.

### Can I use Cloudsmith as a proxy for Chef Supermarket?

Yes. Cloudsmith upstream proxying lets you cache cookbooks from Chef Supermarket or any external source into your own private repository. Your nodes pull from Cloudsmith, protecting you against upstream outages, rate limits, or packages being unexpectedly removed from the public registry.
