Cloudsmith is a supported private registry for all major ecosystems that Dependabot covers, including Maven, npm, Python (PyPI), RubyGems, NuGet, and more. The same configuration pattern applies across ecosystems: define a Cloudsmith registry in your dependabot.yml, reference your credentials from GitHub secrets, and Dependabot handles the rest.

Dependabot authenticates with Cloudsmith using username and password credentials stored as encrypted GitHub secrets. You store your Cloudsmith username and API key in the Dependabot secrets section of your repository settings, then reference them in your dependabot.yml file.

Setting replaces-base to true in your dependabot.yml tells Dependabot to use the specified Cloudsmith repository URL as the primary source for all packages in that ecosystem, rather than the default public registry. To make this work correctly, you should configure a corresponding upstream proxy in Cloudsmith so that public packages are fetched through Cloudsmith when they are not already present in your repository.

Cloudsmith supports granular access controls and service accounts, so you can scope credentials precisely to Dependabot's needs. Create a dedicated service account with read-only access to the relevant repositories, store the API key as an encrypted Dependabot secret in GitHub, and reference it in your dependabot.yml. This limits blast radius if credentials are ever compromised.

Yes. With Cloudsmith's upstream proxying enabled and replaces-base set to true, Dependabot routes all package resolution through your Cloudsmith repository. Public packages that are not already stored in Cloudsmith are fetched transparently via the upstream proxy, while private packages are served directly. This gives you a single authoritative source for every dependency in an ecosystem.

Store your Cloudsmith API key and username as encrypted Dependabot secrets in your GitHub repository under Settings, then Secrets and variables, then Dependabot. Reference these secrets in your dependabot.yml using the username and password fields for the registry entry. Never hardcode credentials directly in the configuration file.

After configuring your dependabot.yml, navigate to your GitHub repository's Insights tab, select Dependency Graph, and then Dependabot. From there you can trigger a manual check for updates and inspect the logs. Any authentication or connectivity errors with Cloudsmith will appear in those logs, making it straightforward to diagnose configuration issues.

Cloudsmith works with both repository-level and organisation-level Dependabot registry configurations. At the repository level, credentials are defined in each project's dependabot.yml. For organisation-wide management, GitHub Advanced Security customers can define private registry credentials centrally at the org level, which Cloudsmith supports just as it does repository-level configuration.

Yes. Every request Dependabot makes to your Cloudsmith repository is recorded in Cloudsmith's audit and client logs. This gives your security and compliance teams a complete, timestamped record of which package versions were resolved, when, and under which service account or user credentials.

Yes. Migrating to Cloudsmith does not require changes to how Dependabot is triggered or scheduled. You update your dependabot.yml to point to your new Cloudsmith repository URL and replace the old registry credentials with your Cloudsmith API key. Once updated, Dependabot will resolve packages from Cloudsmith exactly as it did from your previous registry.