Documentation
Artifact Management
With Cloudsmith for Artifact Management, you control how software components move through your SDLC, both what you build and what you consume. Artifact Management includes both:
- the artifacts your teams generate (like binaries and container images)
- and the dependencies they consume from internal and third-party sources
These software components and their corresponding metadata are collectively known as artifacts. Effective artifact management ensures these critical assets are versioned, secured, and reliably accessible, forming the backbone of a modern software supply chain.
As complexity grows, particularly with popular formats such as Maven and npm, it becomes important to manage packages through a package management system such as Cloudsmith.
What's a package?
A package bundles software files with metadata (name, version, dependencies). Packages are typically versioned to provide a better and more manageable understanding of what software is being deployed.
Note
While related, there's a key difference between artifacts and packages.
An artifact is a raw output, like a
.jarfile or a Docker image. A package is an artifact bundled with metadata (name, version, dependencies) that tools can understand. all packages are artifacts, but not all artifacts are packages. For a more detailed comparison, please see Artifacts vs. Packages: What Is the Difference?
Cloudsmith is a universal artifact management platform supporting 28+ formats, with native tooling integrations and registry upstreams to proxy and cache popular sources. Publish and deliver via native interfaces (e.g., Maven Publish) or the Cloudsmith CLI, API, or UI.
What package types are supported?
See the full list in Supported Formats. Each format gets first-class support with consistent controls for access, policy and visibility.
Package Search Syntax
Quickly find packages with Package Search Syntax, combining fields like name, version or dependency to narrow results.
Package Actions
You can manage your packages using different tools:
- Cloudsmith CLI
- Cloudsmith web app
- Native tooling (docker, pip, npm, etc.)
- Cloudsmith API
Here's a list of supported actions with references to learn more about each of them.
| Action | Description |
|---|---|
| Identification | Get package ID |
| Upload | Publish from your development environment or CI pipeline |
| Download | Download packages and dependencies to any environment |
| Tag | Tag a package |
| Copy | Copy a package from one repository to another |
| Move | Move a package from one repository to another |
| Delete | Delete a package from a repository |
| Quarantine | Package Quarantine |
| Resynchronize | Republish (delete/add) a package (usually to retry a package sync failure) |
| Share Private | Share a private package |
| About Package SBOMs | Learn how to get your package SBOM and sign it with cosign |
Note
📘 Promote Packages Cloudsmith allows you to "promote" packages between repositories through either a move or copy function, preventing unnecessary uploads/downloads, for an accelerated pipeline.
Package groups
Package Groups provide a streamlined, high-level overview of your repository by consolidating all component versions into a single entry for each package.
Retention rules
Retention rules automate repository storage management by systematically deleting packages based on configurable criteria for count, size, age, or a filtered search query.
Artifact Management Policies
Package Deny policies
Package deny policy rules let you control which packages can be downloaded from your workspace's repositories. By defining these rules, organizations can enforce stricter security measures and maintain tighter control over their software artifacts.
Block Until Scan
Block Until Scan is a security feature designed to enhance the integrity and security of software packages served by Cloudsmith, guaranteeing that all relevant security and compliance policy checks (licenses, vulnerabilities, package deny policies) are fully completed before a package is made available for download.
To learn more about it, browse to Supply Chain Security > Policies > Block Until Scan.
