By submitting, you are subscribing to artiFACTS, Cloudsmith's monthly product newsletter. You can unsubscribe at any time.

Join a select group of engineering and security leaders for a private evening at BarChef. Build, experiment, and compete in a hands-on cocktail challenge. Expect great drinks, friendly competition, and meaningful connections in a lively, social setting.

Engineering Leaders After Hours: A Build & Ship Cocktail Competition

Software is assembled far more than it's authored. Every dependency, model weight, and base image is an artifact with provenance, integrity, and risk attached. Cloudsmith is the governed control plane where teams enforce policy, verify provenance, and gate what reaches production, making security and supply chain visibility the default, not an afterthought.

A governed control layer for the AI-driven software supply chain

AI is the most consequential shift in how software gets assembled, and the attack surface is expanding with it. Developers move faster. Pipelines pull in more open-source, pre-trained models, and third-party binaries than ever before. But most artifact infrastructure wasn't built to govern at that scale or velocity. 
 
Cloudsmith sits between your AI toolchain and production: enforcing OPA Rego policies pre-ingestion, validating package integrity, surfacing vulnerability data before dependencies ever reach a build, and providing a full audit trail across every artifact event. Engineers keep their velocity. Security teams get the control they need. 
 
The DASH audience is here for AI observability. We're here to talk about what you need to govern before the data ever reaches Datadog.

AI accelerates software assembly. Governance has to keep pace.

The LEGO Architecture Empire State Building is discontinued. We have one. Find us in the Partner Expo and enter to win!

Win something you can't buy anymore.

You're monitoring your AI systems with Datadog. Are you also governing what goes into them? Stop by Booth #528 and find out how Cloudsmith gives teams the clarity, control, and confidence to move fast with full visibility over every artifact entering their environment.

Meet us in NYC for Datadog DASH 2026

Frontier Stack Inc. has been compromised. A malicious package is buried in their codebase. Join Cloudsmith, Chainguard, and Mend.io for a live Capture the Flag. Hunt the malicious package, and prevent it from getting into your software build.

Nigel Douglas

Head of Developer Relations

Manfred Moser

Sr Principal DevRel Engineer

Amir Shahmiri

Senior Solutions Engineer

Dependency attacks are no longer rare events. Malicious packages get published to the npm Registry or the Python Package Index (PyPI) every week, and most teams discover them the same way they discover the rest of their supply chain: too late.

This CTF puts you inside a compromised company, working a live incident with experts from Cloudsmith, Chainguard, and Mend.io at your side. You'll feel the friction of an ungoverned AI software development environment - insecure models, agents and skills. Understand how adversaries are abusing the open source AI ecosystem, and how you can prevent an incident like this within your organisation.

Bring your laptop. Saddle up. Find the outlaw before it hits production. The winner walks away with a Raspberry Pi 5!

What you'll do

Investigate a real dependency attack: 
Get hands on with SBOMs and AIBOMs. Understand what goes into a modern AI application today, from potentially insecure AI skills, malware hidden in public models, and use open-source scanners like osv-scanner and ClamAV to understand what is safe versus what is not, and prevent Frontier Stack Inc. from being pwned.

See a governed supply chain in action:
Get hands-on with model discovery, understanding the hidden risks associated with public ML models and the dependencies they rely on. From secret scanning to malware classification, participants will put on their AppSec hat.

Capture the Flag | Dead or alive: Hunt the malicious package

Software supply chain security

Featured Events

Upcoming Events

Featured In-Person Events

Upcoming In-Person Events

Featured On-Demand Webinars

On-Demand Webinars

Featured Webinars

Upcoming Webinars

Featured Workshops

Upcoming Workshops

This webinar explores how platform engineering teams are uniquely positioned to operationalize CRA compliance - turning regulatory obligations from the security and compliance teams into frictionless, automated workflows that developers will actually adopt.

James Matchett

Head of Security

How platform engineering unlocks CRA readiness

Explore 2026 artifact management trends as AI accelerates development but outpaces security. Learn why 93% of organizations use AI-generated code while only 17% have guardrails, and how a unified control plane helps secure the software supply chain.

Glenn Weinstein

Alison Sickelka

VP of Product

Lee Skillen

Chief Technology Officer

Meghan McGowan

Product Marketing Manager

AI has fundamentally shifted the source of engineering value from writing code to validating output. But as AI-generated artifacts become near-universal, a massive "Governance Frontier" has emerged. Our 2026 research reveals a dangerous disconnect: 93% of organizations have adopted AI code, yet only 17% have the automated guardrails to catch AI-specific risks like malicious model weights or hallucinated dependencies.

Join Cloudsmith’s leadership and product teams for an investigative look at the 2026 state of artifact management. We’ll move beyond the AI hype to discuss the "Unified Control Plane" - the only way to bridge the gap between AI speed and supply chain integrity.

AI acceleration and supply chain security: 2026 artifact management trends

npm axios attack: What happened and how to protect your supply chain

Jenn Gile

Founder

LIVE BRIEFING: This week, axios - the JavaScript HTTP client with over 100 million weekly npm downloads - was compromised in a supply chain attack. A malicious actor used a compromised maintainer account to inject a remote access trojan into two active release branches.

Join our Head of Developer Relations, Nigel Douglas and Founder of OpenSourceMalware, Jenn Gile for a 30-minute live breakdown of the attack and practical steps any engineering team can take to reduce their exposure to this type of threat.

Live Briefing: Lessons from the axios npm attack

Most software pipelines focus on writing code and deploying it, but the real risk is what happens in between. Join Cloudsmith and Octopus Deploy to learn how to build trust in software artifacts and enforce security and compliance through your Golden Path.

Ralph McTeggart 

Principal Engineer

Steve Fenton

Director of Developer Relations

Cristian Garcia

Senior Customer Success Manager

Golden Paths help scale developer productivity - but most stop before the point where trust actually breaks down.

Teams invest in source control and deployment automation, but what happens in between - artifact movement, approvals, and integrity - is often overlooked.

In this session, Cloudsmith and Octopus Deploy will show how to build trust continuously, from source to ship. You’ll leave with a clear mental model for trust in software delivery, and practical guidance on enforcing chain of custody, policy, and authorization through your Golden Path.

Because if you can’t prove it, you don’t control it.


Building trust from source to ship: The missing link in your Golden Path

Learn how to safely ingest, verify, and manage LLM models from Hugging Face in this live webinar. See a real workflow for quarantining, approving, and promoting models into production without slowing developers down.

Liana Ertz

Product Manager

Open model ecosystems like Hugging Face have transformed how teams build with AI. But with that speed comes risk: unverified publishers, mutable artifacts, dependency confusion, and models that change beneath your feet.

If you’re pulling models straight into production pipelines, you’re inheriting all the uncertainty of the public internet - into some of your most sensitive systems.

In this live session, Cloudsmith experts will show you how to take control of your AI supply chain. You’ll learn how to securely ingest, verify, and distribute LLM models from Hugging Face without slowing your teams down.

How to securely source your LLM models from Hugging Face

Attackers are exploiting typos and AI-generated code to slip malicious packages into software ecosystems. Learn how typosquatting and slopsquatting attacks work, why AI is accelerating them, and the practical steps to detect, prevent, and secure your supply chain.

As software ecosystems expand, attackers are exploiting the smallest cracks - from a single typo to a reused name - to sneak in malicious packages. The rise of AI-generated code has amplified this problem. Automated code suggestions, dependency management, and code-completion tools can unintentionally introduce lookalike or compromised packages into projects. These lookalikes are easy to miss and can bypass traditional security checks, creating serious downstream risk.

This session combines real-world examples with practical advice on how to detect, respond to, and prevent squatting attacks in a world where AI-driven development is changing how code is written, shared, and reused. You’ll leave with a clearer understanding of how these threats operate, a simple framework for detection and response, and actionable steps to make your package ecosystem more resilient.

From naming hygiene to automation strategies, this session will help your teams stay one step ahead of the next squatting campaign, whether it is targeting human developers or being propagated by AI-generated code, and keep your software supply chain secure.

Typosquatting & Slopsquatting: Detecting and defending against malicious packages

Don’t let hidden threats slow you down. Discover how Cloudsmith & Kusari enable proactive security to prevent tampering, improve visibility, and speed deployments—reducing rework and strengthening your software supply chain.

Ben Cotton

Open Source Program Lead

Security checks are more critical than ever as attackers increasingly target software supply chains, from dependencies to CI/CD systems. But speed is just as important. Slowing down development isn’t an option, so organizations need security that enables rapid releases without adding friction.

The real competitive advantage comes from building security into your workflow so that speed and safety go hand in hand. Whether you’re under pressure to reduce risk, or enabling speed at scale, you’ll leave with actionable steps to make your pipeline not only secure but trustworthy - and spookily efficient.

In this joint webinar from Cloudsmith and Kusari, our experts will show you how to turn security from a bottleneck into a force multiplier.

More Trust, Less Boo! Haunt-Free Deployments with Cloudsmith & Kusari

The recent npm supply chain attack was a wake-up call: open source dependencies are a critical risk vector. If your organization isn’t actively securing the way you source, store, and distribute software artifacts, you’re exposed.

Gwen Burchell

Engineering Manager

The recent npm supply chain attack was a wake-up call: open source dependencies are one of the most critical risk vectors facing modern software teams. High-profile incidents like the npm cryptocurrency attack and the S1ngularity/nx breach have made it clear that vulnerabilities don’t just come from the code you write, they often hide in the transitive dependencies your applications rely on.

If your organization isn’t actively securing how you source, store, and distribute software artifacts, you’re exposed. And while you can’t stop attackers from trying, you can prepare to minimize risk and disruption when the next breach inevitably happens.

In this webinar, we’ll explore what these attacks revealed about dependency risk, why practices like lockfiles and dependency pinning matter, and how to build resilience with approaches like Continuous Security and Verified Registries. You’ll also see how Cloudsmith helps teams automatically mitigate malware and vulnerabilities, so you can stay ahead of threats without slowing development.

Lessons from the npm Attack: How to Secure Dependencies with Artifact Management

Not every CVE is worth chasing. In this webinar, we’ll show how to combine CVSS severity with EPSS exploitability inside Open Policy Agent (OPA) to automatically quarantine the vulnerabilities that matter most. 

Vulnerability management isn’t about patching everything - it’s about patching what actually matters. CVSS gives you severity. EPSS gives you probability. Together, they let you prioritize risk in a way that reflects real-world exploitation, not just theoretical impact.</>

In this session, we’ll show how to integrate EPSS and CVSS into Open Policy Agent (OPA) to automatically quarantine packages that cross defined thresholds. Using Rego, you’ll learn how to encode risk-based policies that block high-severity, high-likelihood vulnerabilities before they hit production - without slowing down development workflows.

From CVE Scores to Action: Enforcing Artifact Management Policies in OPA

Secure your CI/CD pipeline with Cloudsmith and Chainguard. This session will show you how to embed native artifact signing and enforce security policies within your workflows, enabling fast, trusted shipping without compromise.

Mark McMurray

Senior Software Engineer

Join us for a hands-on session on securing modern CI/CD pipelines through native signing and real-time policy controls.
With software supply chain threats escalating, it’s critical to ensure only trusted, verifiable artifacts reach production. This session will show you how to integrate signing, provenance tracking, and policy checks directly into your CI/CD workflows - without slowing down delivery. 

See how Cloudsmith and Chainguard are advancing DevSecOps with end-to-end artifact security, SBOM integration, and policy-driven CI/CD pipelines. You’ll leave with actionable tools and proven strategies to harden your pipeline and ship with confidence.

Unlocking Software Integrity: Native Signing & Policy Enforcement

Artifact management is now central to secure software delivery - but AI, compliance, and scale are raising the stakes. Join us live as we unpack key insights from the 2025 Artifact Management Report and explore how teams are adapting to this fast-changing landscape.

The software development landscape is undergoing a major transformation driven by the rise of AI and automation. While these technologies offer incredible speed and innovation, they also introduce new pressures - demanding that software delivery be faster, more secure, and fully compliant with evolving global regulations.
Drawing on insights from over 300 engineering, DevOps, and security professionals, this webinar will examine how leading organizations are rethinking their artifact infrastructure to meet these modern challenges. From securing pipelines to navigating compliance, we’ll dive into the practical steps teams are taking to adapt.
We'll gain deeper insight into the challenges users face in securing AI-driven pipelines, especially as threats like AI malware hidden in unvetted dependencies (e.g., through manipulation techniques like slopsquatting) continue to emerge. We'll also explore developers' concerns around scalability, performance, and the security limitations of today’s artifact management systems.
In addition, we’ll cover how organizations are aligning with regulatory frameworks like SLSA, DORA, and the EU CRA by building in traceability, auditability, and automated policy enforcement. Finally, we’ll look at strategies for enabling cross-functional collaboration, while still maintaining strict governance, visibility, and control over the entire software supply chain.

 From AI to Scalability: 2025 Trends in Artifact Management

Software supply chain security is critical, yet artifact management often goes overlooked. Join Docker and Cloudsmith in this live webinar to explore how teams are securing the artifact lifecycle and staying ahead of evolving threats.

Michael Donovan

VP Product

Jack Gibson

Containerized software and artifact management processes and technology have become soft spots in your software supply chain security — and attackers know it. From compromised CI/CD workflows to malicious open source packages, the threat surface has expanded — and attackers are increasingly targeting containers, registries, and build pipelines. Yet, many organizations still rely on default configurations, public registries, and unsigned packages — leaving critical blind spots in their security posture.

In this live session, Michael Donovan (VP of Product, Docker), Ralph McTeggart (Principal Engineer, Cloudsmith), and Jack Gibson (Senior Software Engineer, Cloudsmith) will walk through how leading teams are securing their software supply chains — with a sharp focus on artifact management. You’ll get a front-line view of how threats are evolving, how cybersecurity is reshaping security priorities, and what real-world strategies teams are using to lock down the full artifact lifecycle.

Topics will include
<ol>
<li>How attackers are targeting the software supply chain — and where your blind spots are; from tampered images to compromised CI/CD workflows, we’ll unpack real-world examples of how artifacts are being exploited — and why containers, public registries, and unsigned packages are common weak points</li>
<li>What a secure artifact lifecycle looks like in practice; learn the technical building blocks of a secure pipeline: signing, provenance via SLSA, tamper-proof storage, and enforcing policies without adding friction to dev workflows</li>
<li>How SBOMs and attestations create real visibility and trust. We’ll show how to integrate SBOMs and signed metadata into your pipeline for traceability — without slowing teams down</li>
<li>How to move toward zero-trust for artifacts - explore how forward-thinking teams are adopting cryptographic verification, trusted sources, and immutable audit logs to lock down the full software delivery process</li>
</ol>

State of the Union: Modern security approaches for the Software Supply Chain

Explore Helm chart security risks, real attacks, and vulnerabilities - learn how misconfigurations and dependencies threaten Kubernetes deployments.

As Kubernetes adoption grows, Helm charts have become a go-to for app deployment - but they come with security risks. Public charts often include misconfigurations, insecure defaults, and vulnerable dependencies, opening the door to privilege escalation, data leaks, or even full-cluster compromise.

This webinar explores the evolving threat landscape around Helm charts in public repositories. From real-world incidents, like the Codecov supply chain attack, to hypothetical attack vectors like "ChartSploit", we highlight how seemingly benign configurations can be exploited. You'll gain insights into the anatomy of vulnerable charts, key risk areas such as RBAC misconfigurations and dependency vulnerabilities, and what recent CNCF data tells us about industry-wide exposure.

Identifying vulnerabilities in public Kubernetes Helm charts

Watch this on-demand webinar to explore how data can be leveraged to protect your software supply chain. Learn how to extract actionable insights, enforce data-driven security policies, and enhance auditability with real-world strategies and examples.


Paddy Carey

Dan McKinney

Solutions Engineer

In today’s rapidly evolving software landscape, organizations face unprecedented challenges in securing their supply chains. With deeper dependency trees, increasing third-party code contributions, and growing threats - from vulnerabilities and misconfigurations to malicious packages and targeted attacks - ensuring security without compromising agility has never been more critical.

Watch this on-demand webinar to explore how data can be leveraged to protect your software supply chain. Learn how to extract actionable insights, enforce data-driven security policies, and enhance auditability with real-world strategies and examples.

Gain the knowledge and tools needed to turn data into a powerful defense against ever-evolving threats. Watch now to strengthen your security posture and safeguard your organization’s software ecosystem.

Putting Your Data to Work to Protect Your Software Supply Chain

Glenn Weinstein, CEO of CloudSmith, and Ronan O'Dooley, VP of Engineering, share their expert predictions and valuable insights to help you navigate the future of software supply chain management.

Ronan O'Dulaing

VP of Engineering

As the software ecosystem grows more complex and security challenges become more pressing, staying informed on emerging trends and threats is crucial. Listen to Glenn Weinstein, CEO of CloudSmith, and Ronan O'Dooley, VP of Engineering, share their expert predictions and valuable insights to help you navigate the future of software supply chain management.

2025 Software Supply Chain Predictions 

During this pre-KubeCon webinar, we will tackle the big questions that should be at the center of conversation at this year's event.

2025 is almost upon us.

During this pre-KubeCon online event, we will tackle the big questions that should be at the center of conversation at this year's event.

If over 90% of software deployed is open-source; what’s the difference between software security and software supply chain management? How can platform teams protect their organizations from attacks? How can you grasp control without impeding developer velocity?

It's time for engineering leaders to make their IDP tooling bets.

KubeCon is the opportunity to answer these big questions and share ideas.

Don’t miss this opportunity to learn from the leading minds in the software supply chain management about the most pressing questions in the industry today ahead of the only event that matters.

 Policy Management - The Key to Unlocking a Secure Software Supply Chain

Join us as we explore the EU's Cyber Resilience Act, its potential impact on the OSS Community, and proactive measures you can take to prepare your team for its implementation. 

Nick Peacock

VP, Customer Success

The European Parliament (EP) adopted a provisional version of the final text of the EU Cyber Resilience Act (CRA) on March 12, 2024, with the final version expected to be signed and published in October.

The EU's CyberResilienceAct (CRA) proposes stringent cybersecurity requirements for digital products, aiming to bolster security against cyberattacks. While it promises safer hardware and software, it also raises questions for Open Source contributors and organizations. Will they be liable for vulnerabilities in their code? Could this legislation stifle innovation or foster it?

Join us in exploring these questions to understand how the CRA underscores the imperative for open source organizations to advocate for their interests in policymaking.


EU's Cyber Resilience Act Repercussions in Open Source

In the final session of our summer series, we will explore why prioritizing artifact management is essential in advancing self-service IDPs and how the adoption of Cloudsmith offers solutions to the most common challenges in platform engineering teams.

Rob Godfrey

Senior Technical Architect

Antoine Tielbeke

DevOps Engineer

As DevOps evolves into platform engineering, the focus shifts to creating Internal Developer Platforms (IDPs) that offer self-service capabilities to developers, reducing cognitive load and streamlining development processes. Platform engineers are tasked with creating a multi-tenant SaaS approach in order to have centralized standardization, control, and governance.

In this session we will explore why prioritizing artifact management is essential in advancing to self-service IDPs and how adoption of Cloudsmith offers solutions to common challenges such as high infrastructure costs, managing security vulnerabilities, and maintaining productivity. Attendees will gain insights into best practices of implementing an artifact repository at the center of their CI/CD pipeline.


How Cloud-Native Artifact Management Can Facilitate the Move to Platform Engineering

The second session of our three-part summer series will help you assess and enhance your DevOps team's capabilities in preparation for transitioning to platform engineering using Omdia’s DevOps Maturity Checklist as our guide. 


Dave Bresci

Senior Manager, Site Reliability Engineering

Richard Vodden

Vice President of Technology

This webinar will help attendees assess and enhance their DevOps capabilities in preparation for transitioning to platform engineering using Omdia’s DevOps Maturity Checklist. We will cover key components like tools, culture, processes, and governance, and provide a structured self-assessment approach to identify team strengths and areas for improvement.  PagerDuty and Humanising Autonomy will join us to discuss their ongoing transformation and the challenges they’ve faced so far.


A Roadmap to Evaluating Your Organization’s DevOps Maturity

Discover how reimagining DevOps as platform engineering can create a more cohesive and streamlined approach to IT operations and development for your team in the first session of our three-part summer series.

Luca Galante

 VP, Product & Growth

Alan Carson

Co-founder and Chief Strategy Officer

As organizations continue to navigate the complexities of modern IT environments, the evolution from “DevOps” to “platform engineering” has emerged as a crucial next step in maximizing operational efficiency. By reimagining DevOps as platform engineering, organizations can create a more cohesive and streamlined approach to IT operations and development, breaking down the silos that often impede progress. In this webinar, the Cloudsmith team will explore Omdia’s latest Market Disruptors Report and discuss which critical success factors you need to consider before making the transition to platform engineering.



From DevOps to Platform Engineering: The Next Evolution

Discover how Cloudsmith's newly released support for Swift can revolutionize the way Swift developers manage dependencies.

Dave Verwer

Co-creator

Domagoj Katavic

Special guest Dave Verwer, co-creator of the Swift Package Index, will join us to discuss his role in developing the Swift Package Index for the community and the potential future of a Swift package registry. 

We will showcase Cloudsmith's newly released support for Swift, highlighting features like package hosting, vulnerability scanning, dependency management, and policy management. Discover how Cloudsmith's new capabilities can revolutionize the way Swift developers manage dependencies. Don't miss this opportunity to stay ahead in the ever-evolving world of Swift!




The Future of Managing Swift Dependencies | A New Era for Developers

Join Cloudsmith and Spacelift on June 5 at 12:00 pm EDT/5:00 pm GMT as we delve into the world of enforcing secure, automated deployment practices through Infrastructure as Code (IaC). 


Emin Alemdar

Solutions Architect

Ciara Carey

We are thrilled to welcome Emin Alemdar, Solutions Architect at Spacelift, CNCF Ambassador, AWS Container Hero, and holder of multiple certifications (CKA, CKS, and 6x AWS Certified), as our guest speaker.

Emin will share invaluable insights on streamlining infrastructure management with Spacelift's sophisticated CI/CD platform, which supports various IaC tools, including Terraform, Pulumi, and Kubernetes. 

Key topics include: 
- What is Infrastructure as Code (IaC)? 
- How tools like Terraform can help with automating IaC? 
- Best practices for ensuring secure and automated IaC deployments. 
- How Cloudsmith's seamless integration with Helm and Terraform simplifies artifact management, aligning with industry standards for security and automation.


Enforce Secure Automated Deployment Practices through IaC

Check out how to reduce the risk of data breaches by removing long-lived credentials from your CI/CD build pipelines using OpenID Connect (OIDC) authentication. 

We are back on May 22nd to see in action how OIDC tokens can provide enhanced security and convenience for your team, eliminating the need for long-lived credentials and reducing the risk of data breaches in your cloud environments. We'll demo how to connect to Cloudsmith to CI/CD pipelines using OpenID Connect (OIDC) authentication. 

Securely Connect Cloudsmith to Your CI/CD with OIDC Authentication

[00:00:00] **Ciara Carey:** Hey, so I'm Ciara Carey and welcome to Cloudsmith's webinar on all things package management and supply chain security. Cloudsmith is your cloud native universal artifact management platform. So let's get on to our topic. Oh, before I start, we're using a new webinar program. platform today. So excuse us if there's any hiccups streaming to any of the platforms.

[00:00:29] So let's get on. We know that managing authentication and authorization and a scalable, secure way is like a mega challenge for organizations. A lot of organizations want to move away from long live credentials, like your username or password, even your token, and especially in your CIS. CD tooling, where you're given like a extensive permissions.

[00:00:56] Well, you can do this with OIDC or OpenID 

[00:01:00] Connect. And today we're going to be talking about this, about configuring OID Connect with CloudSmith and GitHub Actions. So super practical, and this is sort of a continuation from our last webinar. In our last webinar, we talked to Rob Godfrey. He's a senior technical architect of the Financial Times, and he led a team that had to deal with an incident in early 2023 where they had to rotate and revoke all their long lived credentials in their, in their pipelines.

[00:01:29] After a breach, there was like thousands of, of long lived credentials they had to rotate and it was a huge task. Weeks of work from a team of engineers. And after that, they decided to move away from these long live credentials and use OIDC authentication wherever possible to make their pipelines more secure and more manageable.

[00:01:54] So what is it? These long live secrets in our CICD, well, we need 

[00:02:00] them because they facilitate access to all those cloud services for publishing artifacts for software deployment and cloud resource management. So like a classic. Use case for using long lived credentials in your CICD pipeline would be a user is created with the cloud service and this is we integrate this with our CICD, such as like AWS or, or CloudSmith, and we need permissions to perform actions like push a package or push something to an S3 bookish.

[00:02:34] So we, to do, to, to. Create these permissions, we, we create secret in our CICD, like our GitHub actions. And these credentials, these are saved and they're basically just long lived credentials then. And then we use them in as we're running our GitHub actions. And they have to have extensive permissions because they need to create stuff to delete stuff, to update stuff, you know, [00:03:00] they need to do stuff.

[00:03:00] So they need like a lot of permissions. And the problem with this is that like if they do leak. It, the blast radius is quite hard. So the main problem with long lived credentials are they can leak. Any credential can leak. They expire and then you have to you break your bill that way. So it's kind of hard to manage.

[00:03:21] And often these credentials, it's, it's, it's, It's common for them to be reused. So that increases the risk factor there. So what is OIDC? Well, OIDC stands for Open ID Connect. You don't have to completely understand it, I'm not for sure I fully understand it, but I do know how to use it. So but here's the two too long, didn't read the version of it.

[00:03:46] So we all know how to we've authenticated using OAuth into services using Google, Apple, and Facebook. We're kind of used to that. Well, similarly, similarly, OITC allows like a [00:04:00] trusted service, like OIDC identity providers, like GitHub actions. To authenticate into other systems like CloudSmith. And it's like a, in a non interactive way.

[00:04:12] And like by creating a short lived JWT token. So you, you can request these tokens on demand and they're good for like. 19 minutes or 15 minutes. I'm not really sure, but a short amount of time and then they expire and you don't need to worry about them leaking. So they keep you safe for production and you're able to do this, this process at scale.

[00:04:37] So now that I did a quick introduction, let's, let's show how you would configure this. using CloudSmith, configure CloudSmith to use GitHub actions so that GitHub actions is the OIDC identity provider. So our workflow would be like with our workflow would be in CloudSmith, we've 

[00:05:00] set up a service account and we'd give it the right permissions and also in CloudSmith, we set up our GitHub OIDC identity provider for the CloudSmith organization.

[00:05:12] And then in GitHub Actions, we update our GitHub Actions to use the OIDC. And then we trigger a build just like we would trigger something to happen. And it should pull down those creds to use with our CloudSmith Actions. So let's actually do a little demo. So I'm going to Share my screen. Forgive me, this is a new platform.

[00:05:39] Okay, I'm going to share my screen. It's happening. You

[00:05:43] can see, I've been studying this handshake thing with OIDC. Like I was saying before, we configure our cloud provider or our service like CloudSmith to trust GitHub Actions. There's some sort of handshaking going [00:06:00] on. And when we're running our job, it'll, it'll request a token and then it'll CloudSmith will verify that this is correct.

[00:06:08] Yeah. You can So let's see. So this is our Cloud Smith repository that we're going to use here. I'll just, there's a package in here. I'm going to just delete it.

[00:06:19] So first thing we need to do is to make sure that we have a service, service account. So here is our account. So I'm going to use this one, GitHub actions to To, uh, with the permissions in to run this in GitHub actions. Sorry to this. So the service service service account is called GH actions.

[00:06:41] Okay. This is my repository. I have my service service user, and now I'm going to make sure my my Service account has the right privileges. So in my, my repository, I'm going to go to access control

[00:06:58] and I've given the correct [00:07:00] privileges, right privileges to to this guy here,

[00:07:03] and now I'm going to set up OIDC, so I've so I'm calling it, so here I've already configured it, calling it gh2, and this is the URL you used to set up get up actions as the identity provider. It's the, it'll be the same for everybody. And then I'm going to set up my claims. Now the claims are actually really important because if you don't set up, set them up, you're giving like broad access to other runners on get up actions to possibly also have permission to, to do something to CloudSmith.

[00:07:40] So I have Restricted it to repository owner, which is me and that's my GitHub repository owner. And then I have selected my service account, my GitHub Actions service account as as the user. Okay, great. So I have set up GitHub Actions to have [00:08:00] permission. to authenticate into CloudSmith. And now I am going to go to my GitHub my GitHub project.

[00:08:10] So I have robbed this from Dan McKinney. Thank you very much. And it's just a little project to build a Debian package. I'm only interested in the workflow. So there's a few things that you, that are important. Okay. So. We're going to be using the CloudSmith action and we're going to trigger it on a push.

[00:08:35] We could have just triggered it on anything, but we'll trigger it on a push. And this part is really important for, this is actually necessary for the OIDC thing to work. You, you gotta, you gotta, and give the GitHub identity provider permission to write the, JWC token, which CloudSense will need later on.

[00:09:00] And so we have a job here to build this is just to build that package. And then we have a job to publish. And so, so this is the OIDC stuff here. So I, you need to have these lines, these two lines here to request the token. Yeah. And then post the token and then it's available for anyone below that can use that token and we need to set the environmental variable to be CloudSmith API key so that our CloudSmith action will will read that later on.

[00:09:37] Okay, and then we have we're going to push our package to CloudSmith and that's what this bit does here. So, okay, let's see. Let's get it going.

[00:09:53] I'm just going to force it. We run all jobs and you can see here, what I expect 

[00:10:00] in my repository

[00:10:03] is that push a Debian package to this repository using my

[00:10:09] Using the GitHub actions here, and it's going to use OIDC to authenticate. And I've set that up earlier. Okay. Yep. Yep. Yep. Yep. Yep. I'm going to run it now. If I had, obviously, if I've made a change if I push to change, it would automatically run.

[00:10:36] It's pretty quick.

[00:10:38] And to go back to the claims bit, I think it's really important to emphasize that you really should have a claim in your in your, in your OpenID token, you should really have set a claim. Otherwise, you're going to set too broad provisions. Okay,

[00:11:00] so now it's built that it's going to publish it.

[00:11:05] Okay, so you can see here it's published it and you can see the person that's published it is our service account gh actions. So it all looks good. I'm going to run this again and just show you when I that it will fail if I don't have, just, I always like to see things fail just so that you see what is working and what isn't working.

[00:11:30] So I'm going to disable. This GitHub action now. And when I run it again, this will fail. Okay.

[00:11:40] Now, we run all jobs.I probably should have just run the publish bit,
[00:11:47] like a good fail. Oh, okay. Come on. I'm rooting on you to fail now.

[00:11:57] Oh, yay. Oh, boo boo. But we knew this was going to 

[00:12:00] fail because we we updated what GitHub actions was permitted to do. Okay, great. Yeah. So I hope you've gotten something out of this. We've showed you a workflow. Oh let me on share back. Hey, so oh, I, so on this, so I've showed you a workflow how to use GitHub actions with Cloud Smith to, in a, using OIDC.

[00:12:31] It's like a more secure way so you don't have to store your cosmic credentials in your in your GitHub actions. In a, in a secret. And this is a manageable, secure, scalable way of managing your authentication and authorization for your organization. Yeah. I'm going to see if there's been any questions.

[00:12:56] Okay. I do have a poll, but it might be a bit late in 

[00:13:00] the day to do it. Okay. I'm going to try I'm going to publish this. Oh, there's two votes in. Okay. Okay. So I have a poll. There's two of them in do you use OIDC in your pipeline? So it's like. Most people don't and I think it's, it's sort of new, you know, and actually it's, it's, there's a lot of work in updating all those all those long live credentials.

[00:13:21] Totally understand that. So, and not all services provided. And let's see the Oh yeah. Have you ever had to, my other question is, have you ever had to revoke? Or rotate keys after an incident and it looks like everybody has. There are so many people voting, but I, I think it's, it's a thing you have to do.

[00:13:43] You know, things happen. People publish things by mistake. The services you're using might have a breach. These things happen and we need a, a better way. We need a better way. So thanks for coming today. I hope you've gotten something out of this.

[00:14:00] And are, we're actually going to have a webinar and only a few weeks time with Spacelift on how to securely deploy things using infrastructure as code.

[00:14:12] So thanks for joining today. And I will, and that is on the 5th of June and the, it's called enforce secure automated deployment practices using infrastructure as code. Okay. Thanks again. Bye!


Join Cloudsmith & guest Rob Godfrey, Senior Technical Architect at Financial Times, for DevOps Debriefs: discussing authentication's role in pipeline security. Find out how FT reacted to the CircleCI breach & how Cloudsmith's support of OIDC improved supply chain visibility

In our first episode of DevOps Debriefs, join Cloudsmith and special guest Rob Godfrey, Senior Technical Architect at the Financial Times (FT) for a discussion on the crucial role of authentication and credential management in ensuring software pipeline security.

We’ll discuss:
Innovative strategies that empowered the Financial Times team to overcome software supply chain risks in their pipelines.
How the team responded to the fallout of the CircleCI breach.
Insights into the challenges and triumphs as the Financial Times fortified its pipelines against potential risks.
The pivotal role of Cloudsmith in supporting FT's adoption of OIDC and providing comprehensive visibility into their entire software supply chain.

DevOps Debriefs: How The Financial Times Beat Leaks with OIDC

Join Cloudsmith and Chainguard as we talk about the easy way to securely consume Open Source Software (OSS) for your organization using Artifact Management and images with zero vulnerabilities.

Adrian Mouat 

Developer Relations

Join Cloudsmith and Chainguard as we talk about the easy way to securely consume Open Source Software (OSS) for your organization. Discover S2C2F best practices for securely consuming OSS and understand how Cloudsmith’s Cloud Native Artifact Management aligns with these standards. Learn about Chainguard zero CVE images drastically reduce vulnerabilities and image attack surface.

Do You Know How to Securely Consume Open Source?

Explore actionable vulnerability management workflows for your organization with Cloudsmith. Optimize software integrity and prevent risks. Join our webinar now!

Join us for a webinar on actionable vulnerability management workflows for your software pipelines using Cloudsmith. Understand the critical need to protect your organization’s software integrity from supply chain attacks and hidden vulnerabilities. Learn how Cloudsmith serves as your organization’s central source of truth for builds, mitigating risks, optimizing workflows, and ensuring global distribution. Explore Cloudsmith Navigator to safeguard your IP and prevent security breaches. Don’t risk the consequences of insecure software. Register now!

Practical Workflows for Managing Vulnerabilities Using Cloudsmith

Join us for a demo and Q&A on Cloudsmith's cloud-native, global, universal artifact management platform! Learn how Cloudsmith can help you secure your software supply chain, optimize your workflow, distribute software globally, and reduce infrastructure costs!

Paul McKeever

VP Growth

Join Dan and Paul for a demo and Q&amp;A on Cloudsmith’s Cloud Native Software Supply Chain Management Platform! Learn how Cloudsmith can help you secure your software supply chain, optimize your workflow, distribute software globally, and reduce infrastructure costs!

Intro to Cloudsmith 

Listen to Rust expert Carol Nichols discuss how adopting a memory-safe language like Rust can significantly reduce vulnerabilities.

Carol Nichols

Founder, CEO and author

Listen to Rust expert Carol Nichols discuss how adopting a memory-safe language like Rust can significantly reduce vulnerabilities.

Eliminating Vulnerabilities with Memory Safe Languages

Tune in to hear experts in leadership, DevOps and security look back on 2023

Josh Bressers

Luca Lanziani

Head of DevOps and Platform Engineering

Join our 2023 lookback at DevOps and supply chain security. How was DevOp investment in 2023? Are people generating SBOMs? Were there any major vulnerabilities like Log4Shell? Has there been a clampdown on cloud costs? And are we all using AI in our workflows? We have three wonderful panellists - Glenn Weinstein, CEO of Cloudsmith; Josh Bressers, VP of Security at Anchore; and Luca Lanziani, Head of DevOps and Platform Engineering at NearForm. Secure your spot for this tech-packed session!

Looking back at 2023: The State of DevOps

Tune in to learn how to securely use open source software using OpenSSF's S2C2F Framework

Adrian Diglio

Principal PM Manager

Tune in to learn about how to consume open source securely using S2C2F, an OpenSSF framework donated by Microsoft. Our guest is Adrian Diglio who leads the Secure Software Supply Chain team at Microsoft. Gain insights into leveraging the OpenSSF framework, and learn best practices for secure and efficient open source consumption. This webinar is essential for anybody navigating the landscape of open source security.

Consuming Open Source Securely Using S2C2F

Join us as we delve into a real-world zero-day supply chain attack and unpack its implications for any org making software

David Gonzalez

A Node.js module with nearly two million downloads a week was compromised after the library was injected with malicious code programmed to steal bitcoins in wallet apps. 
Join us as we delve into a real-world zero-day supply chain attack. Understand the response that followed, and how attacks like this can be mitigated. Learn from David Gonzalez, Principal Engineer at Cloudsmith and Member of the Node.js security working group, as he walks us through the incident.

Understanding Zero-Day Vulnerabilities in Software Supply Chain

Understand SLSA 1.0 and adopt a comprehensive checklist of software supply chain security measures

David Wheeler

Isaac Hepworth

Any organization that has taken on the daunting task of securing their software supply chain knows the challenges, pitfalls and caveats that come with implementing security best practices. SLSA 1.0, a community-backed framework that provides a comprehensive checklist of security controls and standards, is here! So what does it mean for you and your organization?

SLSA 1.0 is Here - What Does it Mean for Your Organization?

Join community leaders to discuss DevOps and Software Supply Chain Security trends for the upcoming year, exploring common and unique insights

Chris Hughes

Sam Cochran

Join us as we continue our December conversation and discuss our predictions for DevOps and Software Supply Chain Security for the year ahead with community leaders. We will delve into some common and not-so-common opinions and topics you are likely to hear more and more about as the year progresses.

The State of DevOps - A Look Ahead to 2023

Stay updated with software security insights from industry leaders. Join our panel featuring experts from Puppet and Shopify's advanced DevOps teams, addressing your major queries in an evolving landscape of news, regulations, and tools.

Nigel Kersten

There is so much information out there about software security. Every day, there seems to be a new news headline, government regulation, or tool promising to “fix it all”. Do you ever wish you could just peek into how some of the industry’s best dev teams are managing this?
We’ve assembled a panel of experts from the mature DevOps teams of Puppet and Shopify to answer some of your biggest questions

Cloudsmith Events

How platform engineering unlocks CRA readiness

AI acceleration and supply chain security: 2026 artifact management trends

Live Briefing: Lessons from the axios npm attack