How do I authenticate my GitLab pipeline with Cloudsmith?

Add your Cloudsmith API key as a CI/CD environment variable named CLOUDSMITH_API_KEY in your GitLab repository settings. The Cloudsmith CLI reads this variable automatically, so no credentials ever appear in your pipeline logs or .gitlab-ci.yml file.

Which package formats can I push from a GitLab CI/CD pipeline?

Cloudsmith supports 30+ formats including Docker, npm, Python (PyPI), Maven, Gradle, Ruby Gems, Helm, NuGet, Debian, RPM, Cargo, Terraform modules, and more. You can push built packages or pull dependencies using either the Cloudsmith CLI or native package tooling such as pip install or helm pull directly in your pipeline stages.

Why should I use Cloudsmith instead of GitLab's built-in package registry?

GitLab's package registry covers a limited set of formats and lacks dedicated vulnerability scanning, OPA-based policy enforcement, and CDN-backed global distribution. Cloudsmith is purpose-built for artifact management and gives you a single, consistent registry for every format your pipelines produce, with enterprise-grade security controls included.

Does Cloudsmith work with GitLab Self-Managed as well as GitLab.com?

Yes. The integration relies on the Cloudsmith CLI or native package tooling inside your pipeline steps, so it works identically whether your GitLab instance is hosted on gitlab.com or running on your own infrastructure. There is no special configuration required for self-managed GitLab.

How do I push a package using the Cloudsmith CLI in my pipeline?

Install the Cloudsmith CLI in a pipeline step, set CLOUDSMITH_API_KEY as a CI/CD variable, then call cloudsmith push FORMAT OWNER/REPOSITORY PACKAGE_FILE to publish, or configure native tooling to pull from your Cloudsmith repository URL. Full examples for each supported format are available in the Cloudsmith docs at docs.cloudsmith.com/integrations/integrating-with-gitlab-cicd.

Are packages pushed from GitLab pipelines automatically scanned for vulnerabilities?

Yes. Every package pushed to Cloudsmith is scanned automatically against known vulnerability databases. You can configure vulnerability policies to quarantine or reject packages that breach your risk thresholds, blocking unsafe artifacts before any consumer can pull them.

Can I enforce policies on what GitLab pipelines are allowed to publish?

Yes. Cloudsmith's Enterprise Policy Manager uses OPA Rego to express policy-as-code. You can restrict which package versions, licenses, or dependency chains are permitted at upload time, giving you a consistent enforcement point regardless of which pipeline or team is pushing.

How do I keep my Cloudsmith API key secure in GitLab?

Store your API key as a masked CI/CD variable in GitLab repository or group settings. For native package tooling that requires a credentials file, use a GitLab file variable so the key is written to disk only during the pipeline run and never checked into source control.

Does Cloudsmith support multi-format pipelines that push several package types?

Yes. A single Cloudsmith organisation can host repositories for every format your pipeline produces. One API key covers all of them, so you can push Docker images, Helm charts, and Python wheels from the same pipeline without managing separate credentials or registries.

Can I get a full audit trail of packages pushed from my GitLab pipelines?

Yes. Cloudsmith captures every upload, download, and policy event in detailed audit and client logs. You can export these logs to S3 or Azure for long-term retention and analysis, giving you full traceability across all your CI/CD pipelines.

Integrations/GitLab CI/CD

Push and pull packages between GitLab CI/CD and Cloudsmith

GitLab CI/CD gives your team a powerful pipeline engine. Cloudsmith gives it a proper home for packages. Connect the two and your pipeline stages can push built artifacts into Cloudsmith and pull dependencies from it, giving you a fully managed, secure artifact repository at every stage of your build.

Book a demo

Push and pull any package format from your pipeline

Use the Cloudsmith CLI or native package tooling directly in your .gitlab-ci.yml to push built packages to Cloudsmith or pull dependencies from it. Docker, npm, Python, Maven, Ruby, Helm, and 30+ other formats are all supported.

Secure API key handling via CI/CD variables

Store your Cloudsmith API key as a GitLab CI/CD environment variable or file variable. Credentials never appear in pipeline logs or get checked into source control.

Vulnerability scanning on every push

Every package pushed from your GitLab pipeline is automatically scanned for known vulnerabilities. Policy gates can quarantine or reject insecure artifacts before they reach downstream consumers.

Policy enforcement with OPA Rego

Write policy-as-code using OPA Rego to enforce which packages your GitLab pipelines are allowed to publish. Block packages that fail license, version, or vulnerability criteria at upload time.

Global distribution and audit trail

Packages pushed from your GitLab pipelines are served from 600+ edge PoPs worldwide. Every push, pull, and policy event is captured in full client and audit logs for complete traceability.

Without CloudsmithGitLab job artifacts expire after 30 days by default and are capped at 100 MB per file. Teams hit storage limits quickly on active pipelines and lose access to older builds needed for debugging or rollback.

With CloudsmithCloudsmith repositories have no arbitrary expiry. Retention rules are yours to define, packages can be up to 5 GB, and pipelines can pull any previously published version at any time without chasing down expired artifacts.

Without CloudsmithGitLab's built-in package registry supports a handful of formats. Teams building multi-language pipelines end up stitching together multiple registries for push and separate upstream proxies for pull, each with its own auth model.

With CloudsmithCloudsmith supports 30+ package formats in one platform. A single API key in your GitLab CI/CD variables covers every push and pull stage across every language your pipeline builds or depends on.

Without CloudsmithPackages published through GitLab pipelines have no automatic vulnerability scanning or policy enforcement. A compromised dependency can silently pass through the pipeline and reach production.

With CloudsmithEvery package pushed to Cloudsmith is scanned automatically. OPA Rego policies can quarantine or reject packages that fail security, license, or provenance checks before any consumer can pull them.

Add your Cloudsmith API key as a CI/CD environment variable named CLOUDSMITH_API_KEY in your GitLab repository settings. The Cloudsmith CLI reads this variable automatically, so no credentials ever appear in your pipeline logs or .gitlab-ci.yml file.
Cloudsmith supports 30+ formats including Docker, npm, Python (PyPI), Maven, Gradle, Ruby Gems, Helm, NuGet, Debian, RPM, Cargo, Terraform modules, and more. You can push built packages or pull dependencies using either the Cloudsmith CLI or native package tooling such as pip install or helm pull directly in your pipeline stages.
GitLab's package registry covers a limited set of formats and lacks dedicated vulnerability scanning, OPA-based policy enforcement, and CDN-backed global distribution. Cloudsmith is purpose-built for artifact management and gives you a single, consistent registry for every format your pipelines produce, with enterprise-grade security controls included.
Yes. The integration relies on the Cloudsmith CLI or native package tooling inside your pipeline steps, so it works identically whether your GitLab instance is hosted on gitlab.com or running on your own infrastructure. There is no special configuration required for self-managed GitLab.
Install the Cloudsmith CLI in a pipeline step, set CLOUDSMITH_API_KEY as a CI/CD variable, then call cloudsmith push FORMAT OWNER/REPOSITORY PACKAGE_FILE to publish, or configure native tooling to pull from your Cloudsmith repository URL. Full examples for each supported format are available in the Cloudsmith docs at docs.cloudsmith.com/integrations/integrating-with-gitlab-cicd.
Yes. Every package pushed to Cloudsmith is scanned automatically against known vulnerability databases. You can configure vulnerability policies to quarantine or reject packages that breach your risk thresholds, blocking unsafe artifacts before any consumer can pull them.
Yes. Cloudsmith's Enterprise Policy Manager uses OPA Rego to express policy-as-code. You can restrict which package versions, licenses, or dependency chains are permitted at upload time, giving you a consistent enforcement point regardless of which pipeline or team is pushing.
Store your API key as a masked CI/CD variable in GitLab repository or group settings. For native package tooling that requires a credentials file, use a GitLab file variable so the key is written to disk only during the pipeline run and never checked into source control.
Yes. A single Cloudsmith organisation can host repositories for every format your pipeline produces. One API key covers all of them, so you can push Docker images, Helm charts, and Python wheels from the same pipeline without managing separate credentials or registries.
Yes. Cloudsmith captures every upload, download, and policy event in detailed audit and client logs. You can export these logs to S3 or Azure for long-term retention and analysis, giving you full traceability across all your CI/CD pipelines.

Integrations

Discover more Cloudsmith Integrations

See all integrations

Push and pull packages between GitLab CI/CD and Cloudsmith

How we support GitLab CI/CD

Why teams integrate Cloudsmith with GitLab CI/CD

Frequently asked questions

Integrations