---
title: "Dependabot and Cloudsmith: Automated Dependency Updates for Private Registries"
description: "Connect Dependabot to Cloudsmith to automate updates for private and public dependencies. Supports username/password and OIDC authentication across all major package ecosystems."
canonical_url: "https://cloudsmith.com/product/integrations/dependabot"
last_updated: "2026-07-09T10:51:20Z"
---
# Dependabot and Cloudsmith: Automated Dependency Updates for Private Registries

## Keep private dependencies secure with **Dependabot** and Cloudsmith

Cloudsmith acts as a fully managed private registry that Dependabot can authenticate against directly, giving you automated dependency updates across all your private and public packages. Configure Dependabot once in your dependabot.yml, point it at your Cloudsmith repository, and let automated pull requests keep every dependency current and secure.

## How we support **Dependabot**

Cloudsmith gives Dependabot a single, authenticated source for all your private packages, so automated updates are reliable, controlled, and auditable across every ecosystem you use.

[Read our Dependabot documentation](https://docs.cloudsmith.com/integrations/dependabot)

### Private registry authentication

Dependabot connects to Cloudsmith using username and password credentials stored as GitHub secrets, giving it authenticated access to all your private packages without exposing tokens in code.

### Detailed request logging

Every request Dependabot makes against Cloudsmith is logged with full detail, including the package, version, timestamp, and credentials used. Security and compliance teams get a complete, auditable record of all automated dependency resolutions.

### Upstream proxying with replaces-base

Set replaces-base to true in your dependabot.yml and Dependabot will treat Cloudsmith as the primary source for all packages in an ecosystem. Cloudsmith's upstream proxying handles resolution from public registries transparently.

### Multi-ecosystem support

Cloudsmith is a supported private registry for Maven, npm, Python, RubyGems, NuGet, and more. The same Dependabot configuration pattern works across every package ecosystem Cloudsmith hosts.

### Policy enforcement

Cloudsmith supports OPA Rego policy-as-code so you can enforce rules on which packages Dependabot can resolve. Quarantine packages that fail policy checks before they ever reach a pull request.

## Why teams integrate Cloudsmith with **Dependabot**

Dependabot's automated pull requests only deliver value when they can actually reach your private packages. Cloudsmith removes every authentication and routing obstacle between Dependabot and your dependencies.

[Read our Dependabot documentation](https://docs.cloudsmith.com/integrations/integrating-with-dependabot)

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Dependabot struggles to authenticate against fragmented private registries. Credentials must be configured per-repository in dependabot.yml, are easy to misconfigure, and often result in silent update failures that leave vulnerable dependencies in place. | Cloudsmith provides a single, well-documented registry endpoint for each ecosystem. Store your Cloudsmith API key once in GitHub secrets and reference it across every repository. Updates run reliably and failures surface clearly in Dependabot logs. |

| Dependabot resolves public packages directly from public registries and private packages from a separate source, creating split resolution paths. This can cause version mismatches and makes it hard to enforce which registry is authoritative for a given package. | With Cloudsmith's upstream proxying and replaces-base, Dependabot uses a single Cloudsmith repository as the authority for all packages in an ecosystem. Public packages are proxied through Cloudsmith, ensuring consistent resolution and policy enforcement. |

| Long-lived API tokens stored as Dependabot secrets represent a persistent credential risk. There is no built-in mechanism to rotate them automatically, so teams either accept stale credentials or manage rotation manually. | Cloudsmith gives you granular access controls, service account credentials scoped per team, and full audit logs for every package resolution. You control exactly what Dependabot can access and have a complete record of every update it triggers. |

## Frequently asked questions

### Which package ecosystems does the Cloudsmith and Dependabot integration support?

Cloudsmith is a supported private registry for all major ecosystems that Dependabot covers, including Maven, npm, Python (PyPI), RubyGems, NuGet, and more. The same configuration pattern applies across ecosystems: define a Cloudsmith registry in your dependabot.yml, reference your credentials from GitHub secrets, and Dependabot handles the rest.

### How does Dependabot authenticate with Cloudsmith?

Dependabot authenticates with Cloudsmith using username and password credentials stored as encrypted GitHub secrets. You store your Cloudsmith username and API key in the Dependabot secrets section of your repository settings, then reference them in your dependabot.yml file.

### What does replaces-base do in the Dependabot configuration?

Setting replaces-base to true in your dependabot.yml tells Dependabot to use the specified Cloudsmith repository URL as the primary source for all packages in that ecosystem, rather than the default public registry. To make this work correctly, you should configure a corresponding upstream proxy in Cloudsmith so that public packages are fetched through Cloudsmith when they are not already present in your repository.

### How should I scope Cloudsmith credentials for Dependabot?

Cloudsmith supports granular access controls and service accounts, so you can scope credentials precisely to Dependabot's needs. Create a dedicated service account with read-only access to the relevant repositories, store the API key as an encrypted Dependabot secret in GitHub, and reference it in your dependabot.yml. This limits blast radius if credentials are ever compromised.

### Can Dependabot update both public and private packages through Cloudsmith?

Yes. With Cloudsmith's upstream proxying enabled and replaces-base set to true, Dependabot routes all package resolution through your Cloudsmith repository. Public packages that are not already stored in Cloudsmith are fetched transparently via the upstream proxy, while private packages are served directly. This gives you a single authoritative source for every dependency in an ecosystem.

### Where do I put my Cloudsmith credentials when configuring Dependabot?

Store your Cloudsmith API key and username as encrypted Dependabot secrets in your GitHub repository under Settings, then Secrets and variables, then Dependabot. Reference these secrets in your dependabot.yml using the username and password fields for the registry entry. Never hardcode credentials directly in the configuration file.

### How do I verify that Dependabot can connect to Cloudsmith successfully?

After configuring your dependabot.yml, navigate to your GitHub repository's Insights tab, select Dependency Graph, and then Dependabot. From there you can trigger a manual check for updates and inspect the logs. Any authentication or connectivity errors with Cloudsmith will appear in those logs, making it straightforward to diagnose configuration issues.

### Does Cloudsmith support organisation-level Dependabot registry configuration?

Cloudsmith works with both repository-level and organisation-level Dependabot registry configurations. At the repository level, credentials are defined in each project's dependabot.yml. For organisation-wide management, GitHub Advanced Security customers can define private registry credentials centrally at the org level, which Cloudsmith supports just as it does repository-level configuration.

### Will Cloudsmith's audit logs capture Dependabot package resolution events?

Yes. Every request Dependabot makes to your Cloudsmith repository is recorded in Cloudsmith's audit and client logs. This gives your security and compliance teams a complete, timestamped record of which package versions were resolved, when, and under which service account or user credentials.

### Can I migrate from a self-hosted registry to Cloudsmith and keep using Dependabot?

Yes. Migrating to Cloudsmith does not require changes to how Dependabot is triggered or scheduled. You update your dependabot.yml to point to your new Cloudsmith repository URL and replace the old registry credentials with your Cloudsmith API key. Once updated, Dependabot will resolve packages from Cloudsmith exactly as it did from your previous registry.
