Integrations/Jenkins

Reliable artifact management for your Jenkins pipelines

Jenkins is one of the most widely used open-source automation servers in the world. Connect it to Cloudsmith to give every pipeline a secure, centralized artifact registry - supporting push, pull, and promotion across all your build formats without managing your own storage infrastructure.

How we support Jenkins

Cloudsmith integrates with Jenkins via the CLI, REST API, and OIDC to give your pipelines a fully managed artifact registry with no infrastructure to run.
    Push and pull across all build formats
    Publish and consume packages in Maven, npm, Docker, Python, NuGet, Helm, and 25+ other formats directly from your Jenkinsfile using the Cloudsmith CLI or native format tooling.
    Keyless OIDC authentication
    Authenticate Jenkins jobs to Cloudsmith without storing long-lived credentials. Configure Jenkins as an OIDC provider and exchange short-lived tokens for scoped Cloudsmith access on every build.
    Policy-gated artifact promotion
    Mirror your pipeline stages in Cloudsmith repositories and move artifacts from dev to staging to production without re-uploading, while policy rules enforce quality and security gates at each stage.
    Vulnerability scanning on every publish
    Every package pushed from a Jenkins job is automatically scanned for known CVEs. Quarantine rules can block vulnerable artifacts before they reach downstream consumers.
    Audit trail and full observability
    Every push, pull, and promotion triggered by Jenkins is recorded in Cloudsmith's client and audit logs, giving you a complete provenance trail across all pipelines and environments.

Why teams integrate Cloudsmith with Jenkins

Jenkins pipelines without a dedicated artifact registry lead to fragile builds, ad-hoc storage, and no visibility into what ships to production. Cloudsmith removes all of that.
Without CloudsmithBuild artifacts pile up on the Jenkins controller or get shunted to ad-hoc S3 buckets with no version control, no access policy, and no single source of truth across teams.
With CloudsmithEvery artifact published from a Jenkins job lands in a versioned Cloudsmith repository with consistent naming, retention rules, and fine-grained access control from day one.
Without CloudsmithAPI keys for artifact registries are embedded in Jenkinsfiles or stored as plain-text environment variables, creating credential sprawl and a security risk on every compromised agent.
With CloudsmithJenkins authenticates to Cloudsmith via OIDC using short-lived tokens. No long-lived secrets stored anywhere - each build gets a scoped token that expires immediately after use.
Without CloudsmithThere is no structured promotion path between environments. Teams re-download artifacts from staging and re-upload to production, wasting bandwidth and breaking the integrity chain.
With CloudsmithCloudsmith lets you promote artifacts between repositories without re-uploading. Provenance is preserved end to end, and every move is logged against the originating Jenkins build.

Frequently asked questions

  1. You can connect Jenkins to Cloudsmith using the Cloudsmith CLI or native package manager tooling inside your Jenkinsfile. Configure your Cloudsmith API key (or an OIDC token) as a Jenkins credential, then reference it in your pipeline to push or pull packages.

  2. Yes. Cloudsmith supports OIDC-based authentication with Jenkins. You install the OpenID Connect Provider plugin in Jenkins, configure a service account and OIDC provider in Cloudsmith, and Jenkins jobs then exchange short-lived OIDC tokens for Cloudsmith JWT tokens - no stored API keys required.

  3. Cloudsmith supports over 30 package formats including Maven, npm, Docker, Python (PyPI), NuGet, Helm, Debian, RPM, Go, Rust (Cargo), and more. You can publish any of these from a Jenkins build step using the Cloudsmith CLI or the native tooling for each format.

  4. Store your Cloudsmith API key as a Jenkins Secret Text credential and inject it into your pipeline with the Credentials Binding plugin. For higher security, use OIDC to eliminate static credentials entirely - each Jenkins job receives a scoped, short-lived token at runtime.

  5. Yes. Cloudsmith lets you move artifacts between repositories representing different pipeline stages (dev, staging, production) without re-uploading. You can trigger promotions from Jenkins using the Cloudsmith API or CLI, and the full provenance trail is preserved.

  6. Yes. Every package pushed to Cloudsmith - including those from Jenkins builds - is automatically scanned for known CVEs. You can configure policies to quarantine or block vulnerable packages before they are consumed by other jobs or deployed downstream.

  7. Cloudsmith's client and audit logs record every upload event, including the credentials used. If you tag uploads with build metadata via the CLI, you get a direct link between each artifact version and the Jenkins build that produced it.

  8. Yes. Cloudsmith provides a reference Jenkins pipeline that demonstrates OIDC authentication and package publishing. You can find it linked from the Cloudsmith docs for Jenkins at docs.cloudsmith.com/integrations/integrating-with-jenkins.

  9. Jenkins is a build orchestrator, not an artifact store. Artifacts saved to the Jenkins controller get buried across hundreds of builds and are hard to share. Cloudsmith gives you a dedicated, versioned, access-controlled registry that persists independently of your Jenkins instance.

  10. Yes. Multiple Jenkins jobs and pipelines can push to and pull from the same Cloudsmith repository. You control access at the repository and team level, so different pipelines can share artifacts while maintaining the principle of least privilege.

Integrations

Discover more Cloudsmith Integrations