Integrations/Kusari

Secure your supply chain from build to distribution with Kusari

Kusari verifies every dependency and generates signed SBOMs, VEX reports, and provenance attestations at build time. Cloudsmith enforces policy-as-code on those artifacts and controls who can access or deploy them. Together, they give your team an end-to-end, auditable chain of custody from code commit to production.

How we support Kusari

Cloudsmith acts as the secure artifact hub that consumes Kusari's verified build output, enforcing policy from the moment an artifact lands until the moment it is deployed.
    Consume Kusari-verified artifacts
    Cloudsmith ingests artifacts published by Kusari-secured CI pipelines. Only builds that pass Kusari's provenance and attestation checks reach your Cloudsmith repositories, giving every downstream consumer a clean, verified starting point.
    Policy enforcement via Rego
    Use Cloudsmith's OPA Rego-based policy engine alongside Kusari SBOM and VEX data to block or quarantine any artifact that violates CVSS thresholds, license requirements, or missing attestation conditions, automatically.
    Co-located artifacts and evidence
    SBOMs, VEX reports, and provenance attestations generated by Kusari are stored alongside versioned packages inside Cloudsmith, creating a single, auditable source of truth that compliance teams can query without chasing separate tooling.
    Zero-day blast radius control
    When a new vulnerability is disclosed, Kusari's dependency graph identifies every affected component. Cloudsmith immediately quarantines or blocks those packages across all repositories, stopping insecure deployments before they reach production.
    Full audit trail from commit to deploy
    Every artifact in Cloudsmith carries an immutable record: who built it, what Kusari checks it passed, which policy version approved it, and who downloaded it. Security and compliance teams get end-to-end traceability without manual evidence gathering.

Why teams pair Cloudsmith with Kusari

Most teams discover vulnerabilities too late, after an artifact is already in a repository and being pulled by downstream consumers. Pairing Kusari with Cloudsmith shifts that gate left and enforces it at distribution too.
Without CloudsmithKusari generates signed SBOMs and attestations during the build, but those evidence packets live in a separate store. Downstream consumers pull artifacts from a generic registry with no link back to the security evidence, leaving compliance gaps.
With CloudsmithKusari evidence packets are stored alongside versioned artifacts inside Cloudsmith. Every download comes with a verifiable chain of custody, and compliance auditors can pull the full record from a single location.
Without CloudsmithWhen a zero-day like Log4Shell is disclosed, security teams spend days manually tracing which container images and packages are affected across fragmented registries, delaying containment.
With CloudsmithKusari's dependency graph pinpoints every affected component. Cloudsmith policies immediately quarantine or block those artifacts across all repositories, cutting containment time from days to minutes.
Without CloudsmithDevelopers are buried in hundreds of CVE alerts with no context on which findings are actually reachable in their application. Teams either ignore the noise or stop work to triage each alert manually.
With CloudsmithKusari's context-aware analysis surfaces only the vulnerabilities that are reachable in your build. Cloudsmith's Rego policies then enforce a hard gate on CVSS thresholds, so only validated artifacts are ever available to deploy.

Frequently asked questions

  1. Kusari operates inside your CI/CD pipeline to verify every dependency, generate signed SBOMs and VEX reports, and produce provenance attestations before a build is packaged. Cloudsmith then acts as the secure distribution layer: it stores those artifacts and their evidence packets, enforces policy on who can access or deploy them, and provides a full audit trail from build to production.

  2. GUAC (Graph for Understanding Artifact Composition) is an OpenSSF project co-created by Kusari that aggregates SBOMs, SLSA provenance, CVEs, and VEX data into a queryable dependency graph. The Kusari platform builds on GUAC to answer questions like which containers are affected by a specific vulnerability across your entire software portfolio. Cloudsmith complements this by enforcing policy against those insights at the point of distribution.

  3. Three common scenarios: regulated industries (fintech, healthcare, defence) that must produce signed SBOMs and attestations per CRA, SSDF, or EO 14028 requirements; platform engineering teams building internal developer platforms who want a vetted, policy-enforced artifact store downstream of their CI pipeline; and open source projects and ISVs who ship software to external customers and need provenance proof attached to every release.

  4. Kusari generates a signed SBOM (in SPDX or CycloneDX format) and a VEX report as part of every CI build. Those documents are published to Cloudsmith alongside the artifact itself, so the SBOM is versioned, immutable, and co-located with the package it describes. Cloudsmith's policy engine can then inspect SBOM metadata to enforce license and vulnerability controls automatically.

  5. Yes. Cloudsmith's OPA Rego-based policy engine lets you write rules that evaluate CVSS scores, vulnerability status, license types, and the presence or absence of required attestations. When combined with Kusari's context-aware vulnerability triage, you can enforce a hard gate: only builds that pass Kusari's checks and meet your Cloudsmith policy thresholds are available for download or deployment.

  6. Kusari maintains a live dependency graph and monitors vulnerability feeds continuously. When a new CVE is disclosed, Kusari identifies every affected component in your build graph. Cloudsmith then lets you quarantine or block those specific artifact versions across all repositories instantly, preventing any further deployment of vulnerable packages before teams have finished their triage.

  7. Yes. Both regulations require software producers to generate and maintain SBOMs, verify component provenance, and demonstrate that security checks were performed before release. Kusari automates the generation of signed SBOMs, VEX reports, and SLSA provenance attestations at build time. Cloudsmith stores and versions those documents alongside the artifact, giving you an audit-ready evidence packet that satisfies common regulatory requests.

  8. Cloudsmith supports more than 30 artifact formats including Docker and OCI containers, Helm charts, npm, Maven, PyPI, Debian, RPM, NuGet, Cargo, and more. Any artifact format that Kusari secures at build time can be stored, policy-gated, and distributed through Cloudsmith with full provenance attached.

  9. Yes. Cloudsmith gives you fine-grained entitlement tokens and repository-level access controls. Combined with Rego policies that check attestation metadata, you can ensure that only systems or users with the right permissions can pull artifacts that carry a valid Kusari attestation, and block everything else at the registry level.

  10. Start by connecting your CI pipeline to both Kusari, for build-time attestation and SBOM generation, and Cloudsmith, for artifact storage and distribution. Configure Kusari to publish signed evidence packets to your Cloudsmith repository alongside each artifact. Then define Rego policies in Cloudsmith to enforce your vulnerability and license standards. The Cloudsmith integrations documentation covers API authentication, entitlement token setup, and repository configuration.

Integrations

Discover more Cloudsmith Integrations