Documentation
Open Cloudsmith

Documentation

Supply Chain Security

Modern software delivery pipelines face growing complexities and a rising wave of sophisticated supply chain attacks, requiring artifact management to go beyond traditional storage. According to the Cloudsmith 2025 Artifact Management Report, this is top of mind for engineering teams, with 56% of respondents citing improved security as the leading benefit of their artifact management tools.

Our platform is designed to meet this challenge head-on. We provide a comprehensive suite of features to help you secure your software supply chain by enabling you to define your policies and responses to policy violations as code; identifying, mitigating, and blocking risks from vulnerabilities and non-compliant licenses in your dependencies.

In this section you can learn how to:

  • Ensure with Block Until Scan that no package can be downloaded until a security scan is successfully completed, helping you enforce security mandates across the whole organization.
  • Reduce risk associated with Software Vulnerabilities, Malware, and Malicious Packages, by proactively quarantining packages and preventing them from entering your software supply chain.
  • License Compliance: Automatically scan for and identify the licenses of your dependencies, ensuring compliance with your organization's policies.
  • Digital Signatures: Verify the integrity and authenticity of your software artifacts using GPG, PGP, and other signing standards.

Adding to this, Enterprise Policy Manager (EPM) and Continuous Security:

  • Policy-as-Code (Early Access): The next evolution in policy management, using Open Policy Agent (OPA). This new feature allows you to define all your security and license compliance rules in rego. While our existing policy features remain fully supported, Policy-as-Code is intended to become the primary method for managing supply chain security rules at scale.
  • Continuous Security (Early Access): Continuously monitor your dependencies to detect in real time and automatically act upon vulnerable and malicious packages.