Integrations/Codefresh

Manage artifacts from Codefresh pipelines with confidence

Codefresh is a Kubernetes-native CI/CD platform built for modern microservices, combining powerful pipelines with GitOps delivery powered by Argo. Cloudsmith gives your Codefresh pipelines a secure, centralised artifact store - so every build pushes to a single source of truth, every deployment pulls verified packages, and your whole team ships with consistency.

How we support Codefresh

Cloudsmith slots into your Codefresh pipelines as the artifact layer - handling authentication, storage, and distribution for every package format your services produce.
    OIDC authentication
    Authenticate Codefresh pipelines to Cloudsmith using OIDC - no long-lived API keys stored in your pipeline variables. Cloudsmith issues a short-lived token per job, scoped to exactly what that step needs.
    Docker registry integration
    Connect Cloudsmith as a Docker registry in Codefresh and pull or push container images directly within your pipeline steps, with full access control and vulnerability scanning applied automatically.
    Helm chart storage and deployment
    Store Helm charts in Cloudsmith and add the repository to Codefresh so your pipelines and Argo CD deployments pull charts from a single, policy-governed source.
    Multi-format artifact publishing
    Publish artifacts from any Codefresh pipeline step - Docker images, npm packages, Python wheels, Maven JARs, and more - all landing in one Cloudsmith repository your whole organisation can trust.
    GitOps-ready artifact source
    Use Cloudsmith as the artifact source for Argo CD deployments managed through Codefresh. Continuous reconciliation pulls verified images and charts directly from Cloudsmith, keeping clusters in sync with your Git state.

Why teams integrate Cloudsmith with Codefresh

Codefresh handles the pipeline orchestration - Cloudsmith handles where your artifacts live, who can access them, and what gets deployed. Together they close the gap between a fast build and a secure release.
Without CloudsmithPipelines authenticate with Cloudsmith using static API keys stored in encrypted variables, creating a sprawl of long-lived credentials that are hard to rotate and easy to leak.
With CloudsmithCodefresh pipelines authenticate via OIDC. Each job receives a short-lived token scoped to that step only - no secrets to manage, no rotation anxiety, and a full audit trail of every access.
Without CloudsmithDocker images go to one registry, Helm charts to another, and language packages to yet another. Teams waste time chasing down where the right version lives before they can deploy.
With CloudsmithCloudsmith gives every Codefresh pipeline a single destination for all artifact types. Docker images, Helm charts, and language packages all live in one place, with consistent access controls across the board.
Without CloudsmithOpen-source dependencies pulled into Codefresh pipelines are not screened before use, leaving teams exposed to vulnerabilities and supply chain attacks that slip through into production.
With CloudsmithCloudsmith's Dependency Firewall and vulnerability scanning intercept risky packages before they reach your pipelines. Policy-as-code rules block non-compliant components automatically, so only approved artifacts deploy.

Frequently asked questions

  1. Cloudsmith supports OIDC authentication for Codefresh pipelines. Your pipeline requests an OIDC token during execution, exchanges it with Cloudsmith for a short-lived access token, and uses that token for the duration of the job. This removes the need to store long-lived API keys as pipeline variables.

  2. Cloudsmith supports over 30 package formats. From a Codefresh pipeline you can push Docker images, Helm charts, Python packages, npm modules, Maven and Gradle artifacts, Cargo crates, and more - all to a single repository, using native tooling or the Cloudsmith CLI.

  3. Yes. You can add a Cloudsmith Helm repository to Codefresh and configure Argo CD to pull charts and Docker images directly from Cloudsmith. This gives you a fully auditable, policy-governed artifact source for all GitOps-managed deployments.

  4. Yes. Cloudsmith automatically scans packages and container images for known vulnerabilities as they are uploaded. You can also configure policy rules to quarantine or block packages that exceed a defined severity threshold, preventing unsafe artifacts from being deployed downstream.

  5. You need an active Cloudsmith account with a repository, a Codefresh account, and optionally a Kubernetes cluster for deployments. The Cloudsmith docs for Codefresh walk through OIDC setup, Docker registry configuration, Helm chart publishing, and pipeline examples to get you up and running quickly.

Integrations

Discover more Cloudsmith Integrations