Package management is our raison d'etre (i.e. reason for being), our modus operandi, our way of life. Every plan supports all of the core features you need to store, deploy and distribute assets all over the world; using nothing but the best of package management practices. We live and breathe it, and that's why Cloudsmith is the #1 choice for package management.

Cloudsmith takes care of scaling and distribution for you, with a low-latency global infrastructure and over 225 points-of-presence. We ensure your packages are delivered worldwide reliably, quickly and securely.

Cloudsmith plans to extend our support for signing keys to include sigstore’s cosign. We support their mission that it should be easy for developers to sign releases and for users to verify them.

Cloudsmith offers Single Sign-On (SSO) for all users using Social Auth identity providers (e.g. Amazon, Google, GitHub, Microsoft, etc.)

Private/internal repositories limit package access to authorised clients and users, without sharing packages to the world. If you need internal software distribution mechanics, or if you want to support license-based software distribution, then private repositories facilitates these.

Use your own custom GPG/RSA signature keys for verifying and signing packages, to assert ownership and traceability. If you don't have one for signing, don't worry, we'll generate a per-repository signing key for you.

Malware scanning on every package at the point of upload helps to ensure that your ecosystem is free from malware and other potentially unsafe constructs. Watch this space for additional vulnerability management.

Block threats from entering your supply chain with Cloudsmith’s quarantine. Quarantine allows you to manually block certain packages from download.

Raw/generic file repositories allow you to upload/store and distribute any kind of file, with the same level of access control and features as any other managed repository.

All customers get access to Cloudsmith’s Documentation Hub and product training videos. Customers can contact our support team during core GMT business hours via in-app chat. We will do our best effort on response time.

With upstream proxying we'll cache upstream packages for you, for convenient access from Cloudsmith. You can reduce the amount of external repositories you depend on, and you can protect your software and servers from downtime and slowness of official main repositories.

Webhooks instruct Cloudsmith to contact your application, or integration when events happen, such as new packages being added. Build complex automated CI/CD pipelines in order to accelerate your DevOps practices.

Get detailed insight into all actions and events across your account, and get them in an auditable and exportable format. If you have strict requirements around regulation, compliance, and/or security, audit trails will ensure you have ultimate insight into how your account changes over time.

Programmatic access to your Audit Logs.

Drill down into the essential access logs for your packages. So now you can keep track of where and when your packages and assets are being downloaded from.

Access your packages and APIs via custom named domains, specified by you. If your company brand and trust is important to you and your customers, custom domains will allow you to present your own company as the endpoint for distribution, APIs and configuration (e.g. retrieving GPG keys). If you're a vendor, you'll likely want this when distributing.

For legal or compliance reasons you can enforce users to agree to your custom End-User License Agreement (EULA) before they can download your packages. This is especially useful if you're a vendor or would like to disclaim warranties prior to usage.

For regulatory and compliance reasons you may wish to store your packages in a specific country or region. Custom storage regions allow you to choose where in the world your packages will be stored, helping you to meet any compliance requirements you may have. Storing your packages closer to where your services and teams operate can also provide significant performance benefits (lower latency) in many cases.

Track advanced usage of your repositories with detailed usage statistics/metrics. If you need to supplement the builtin views we also offer an API to programmatically access statistics so that you can build your own.

Restrict or grant access to your packages based on geographical location, IP ranges or specific IP addresses. If you need to add physical location security to your package management, then Geo/IP Restriction is what you need.

Take control of license compliance for all of your packages within a repository. Explore metrics of the licenses contained within your repository and view licenses on individual packages.

Automated retention/lifetime rules allows you to automatically manage storage for packages by deleting or moving packages that fall outside of the defined retention rules.

Synchronize Cloudsmith teams with groups within your identity provider (IdP) to automatically manage team membership. When you synchronize a Cloudsmith team with an IdP group, changes to the IdP group are reflected in Cloudsmith automatically, reducing the need for manual updates and custom scripts.

Cloudsmith offers support for Single Sign-On (SSO) at the organization level using Security Assertion Markup Language (SAML). With SAML, organizations can use their existing SSO provider to manage and control authentication and access to their Cloudsmith organization account.

The first step to gaining control of your software supply chain is to have visibility of what’s in it. Cloudsmith makes it easy to upload, store and view SBOMs alongside your packages.

Manage permissions and access control at a group level rather than individually with Cloudsmith teams. Set up your teams, add and remove team members and then set permissions and manage access to repositories through that team.

Invoice-based billing allows you to pay for your Cloudsmith account as an invoice rather than via debit/credit cards. This is a convenient option for larger organizations or where there are strict requirements in how vendors are paid. It also tends to be much cheaper than other payment methods, as we offer a discount for paying for a year upfront.

With our automated S3 export, you'll be able to get the access logs for your repositories delivered to you periodically. You pick the frequency and the output format and we'll make the drop, hassle free. You can then import your logs into your favourite tools to slice dice and analyse your data at scale.

System for Cross-domain Identity Management, also known as SCIM, provides automated deprovisioning for Cloudsmith organizations. Streamline workflows and better manage your users as your organization grows.

Cloudsmith will scan every supported package format pushed to a Cloudsmith repository or fetched from a caching-enabled upstream. You can build rules into your CI/CD pipelines to decide how to handle low, medium, high, and critical software vulnerabilities. Supported formats include Docker, Ruby, Python, Composer, Maven, NuGet, Golang, Cargo and npm.

We pride ourselves as a top-tier managed service, and will always work to ensure continuity of service for you. With a guaranteed SLA of 99.5% we'll take additional measures to ensure that your account is maintained as a matter of priority, especially following unplanned downtime.

Enterprise Support is available as an add on and includes: * First Response SLA * Emergency escalation * Dedicated technical account manager * Direct access to your Cloudsmith technical account manager via shared Slack channel

Service Bots are a special type of Cloudsmith account intended to represent a non-human user that needs to authenticate and be authorized to access Cloudsmith’s APIs.

An active user is a user that has logged in or utilise an API key in a rolling 30-day window (i.e. you could have 50 users in an org, but only 5 are active per month).

With entitlement tokens, you can issue multiple tokens to control who has read-only access to your repositories, packages and assets; simple and secure. If you need more than just read-only access, you can enable dynamic provisioning of access, plus restriction by search, time and other qualifiers. Perfect for vendors!

There is no limit to the amount of packages you can store or distribute (upto storage/bandwidth limits), nor the amount of repositories you can create / use.

This is the amount of GB/Gigabytes allocated by default in your account, in which you can store a total amount of packages upto (including direct uploads and those fetched from upstreams).

This is the amount of GB/Gigabytes allocated by default in your account, in which you can distribute from Cloudsmith per month.