Cloudsmith Blog

Instead of wasting time clicking buttons in a UI, Cloudsmith gives dev teams the freedom to write their security rules as code for more power and flexibility. This approach, called policy-as-code, requires them to define precise limits/thresholds for what they consider a risky software artifact. When you're building policy-as-code, you can sometimes be stuck deciding exactly what thresholds to set for risky software artifacts. With a tsunami of vulnerabilities being thrown your way daily, it's impossible (and inefficient) to treat them all as emergencies. This blog post will help you understand the various scoring systems you can use to build smarter, context-aware security policies…

Python 3.14 brings a whole bunch of useful build improvements, including discontinuation of PGP signatures in PEP 761. Python versions 3.14 and onwards will no longer provide PGP signatures for release artifacts. Instead, Sigstore is recommended for verifiers…

Across your organization, teams are rapidly adopting AI and machine learning. They’re pulling ML models and datasets from public sources like Hugging Face and wiring them into workflows that are now reaching production. For platform and security leaders, this creates a familiar challenge: artifacts are entering the software supply chain outside established governance and controls…