Cloudsmith

Cloudsmith is a cloud-native, universal package management platform designed to provide organizations with a secure, reliable, and scalable solution for hosting, distributing, and managing software packages and container images. As a fully managed service, Cloudsmith eliminates the operational overhead of running private package registries while providing enterprise-grade features for software distribution and supply chain security.

The defining characteristic of Cloudsmith is its universal format support. A single Cloudsmith repository can host packages in any combination of supported formats, which include Docker, Helm, npm, PyPI, Maven, Gradle, NuGet, Go, Ruby Gems, PHP Composer, Conan, Alpine APK, Debian, RPM, Raw file, and many others. This format universality eliminates the need to maintain separate registry services for different package types, simplifying infrastructure and providing a single pane of glass for all artifact management.

Package synchronization and upstream proxying are powerful features that make Cloudsmith valuable as a caching proxy for public registries. When a developer requests a package that is not yet in Cloudsmith, the platform can fetch it from the upstream registry (Docker Hub, PyPI, npm, Maven Central, etc.), cache it locally, and serve future requests from the cache. This proxy capability eliminates direct dependencies on public registries, improving build reliability, speed, and security.

Security scanning in Cloudsmith checks all stored packages for known vulnerabilities in their dependencies and components using multiple vulnerability databases. The scanning results are integrated into the package listing interface, and policies can be configured to block the promotion or download of packages that contain critical vulnerabilities, implementing security gates in the software supply chain.

License compliance management allows organizations to define acceptable and unacceptable software licenses and automatically flag or block packages that violate the policy. This is essential for organizations with open source licensing obligations or restrictions on GPL-licensed software in commercial products.

Entitlement tokens provide fine-grained access control for distributing packages to customers and partners. Organizations can create unique tokens for each customer or distribution channel, revoke access without affecting other customers, track download activity per token, and set expiration dates and download limits. This capability is particularly valuable for software vendors distributing commercial software to customers.

Geo-replication allows package repositories to be replicated to multiple geographic regions, ensuring low-latency downloads for users worldwide and providing redundancy against regional outages. The replication is active-active, meaning that packages uploaded in any region are available in all regions immediately.

Cloudsmith integrates with all major CI/CD platforms and provides a comprehensive REST API and CLI for automation. The platform's high-availability SLA, uptime guarantees, and dedicated support make it suitable for production-critical software distribution workflows.