Cloudsmith

Are you at PlatformCon London? Join Spacelift and Cloudsmith TONIGHT at F1 Arcade London for an evening where competitive racing meets DevOps and platform engineering. Connect with peers, test your skills on full-spec racing simulators, and explore how to optimize your DevOps for both speed and control. 📅 Date: Wednesday, 25 June ⏰ Time: 7:00 PM - 10:00 PM BST 📍 Location: F1 Arcade London - 1 New Change, London EC4M 9AF, United Kingdom 🔥 Space is limited—reserve your spot now! 🔥 👉 events.spacelift.io/iac-grand-prix… See you there!

Is your Helm a risk? 🔍 If your business or open-source project relies on Helm charts, join Nigel Douglas, Head of Developer Relations at Cloudsmith, in a hands-on, virtual workshop during PlatformCon 2025: "What Supply Chain Risks Are Hidden in Your Helm Charts?" Join this hands-on workshop to explore real-world Helm vulnerabilities and learn practical strategies to automate and strengthen your Kubernetes security posture. Reserve your spot 👉 platformcon.com/sessions/what-… 🗓️ Friday, 27 June at 4:00 PM BST / 11:00 AM EST 📍 Virtual #PlatformEngineering #PlatformCon2025 #KubernetesSecurity #Helm

We're thrilled to be part of PlatformCon 2025, the world’s largest platform engineering conference! This year, we're bringing two high-impact virtual talks to the stage 💥 More Than Code: How Culture Defines Platform Success Explore how team culture, not just tooling, shapes the true success of platform engineering 🌟 Artifact Management Unleashed: Powering Your Packages at Lightning Speed Discover how to optimize package delivery and streamline your artifact workflows for peak performance 🚀 This week only, PlatformCon attendees can enter to win a $250 gift card at the end of each talk! Watch now: cloudsmith.com/events/confere… #PlatformEngineering #PlatformCon25

In April, Scattered Spider cracked M&S’s systems in a massive ransomware attack. It all started with the theft of an NTDS.dit file. See Nigel Douglas’s advice for practitioners securing their CI/CD pipelines against lateral movement: cloudsmith.com/blog/owasp-ci-… Full guide: cloudsmith.com/campaigns/guid… #DevSecOps #OWASP #CI/CD

🌍 Cloudsmith is proud to sponsor PlatformCon 2025 - the worlds biggest platform engineering event! Join us for a full week of all things platform engineering—including free virtual sessions packed with insights into cloud-native artifact management at scale 🚀 Here’s what we’re bringing to the table: 💡 23-27 June | 2 Virtual Talks • More Than Code: How Culture Defines Platform Success — Explore how platform strategy aligned with company goals enables empowered engineering teams. • Artifact Management Unleashed: Powering Your Packages at Lightning Speed — Discover how smart caching and optimized registry access can supercharge your package delivery. 🇬🇧 25 June | London Live Day - Booth 8 • Stop by Booth 8 to see why Cloudsmith is the world’s best cloud-native artifact management platform—fully managed, built for scale, and designed to secure and streamline everything in your software supply chain. • Get hands-on with the Cloudsmith platform, enter to win great prizes, and take home great swag! 🗓️ When: Wednesday, 25 June 📍 Where: Convene Sancroft, St. Paul's - London 🛠️ 27 June | Virtual Workshop • What Supply Chain Risks Are Hidden in Your Helm Charts? — A hands-on deep dive into vulnerabilities, attack scenarios, and best practices for securing Helm charts, ensuring supply chain security and compliance. 👉 Learn more & explore our sessions: cloudsmith.com/events/confere… #PlatformEngineering #PlatformCon25 #ArtifactManagement

QA ≠ Admin Developer ≠ Release Manager Strong Pipeline-Based Access Controls (PBAC) rely on separating duties across the pipeline: cloudsmith.com/blog/owasp-ci-… Download a full guide on OWASP’s CI/CD Top 10 risks: cloudsmith.com/campaigns/guid… #PBAC #OWASP #CI/CD

Happy to announce grlx is now being built and distributed with @GoReleaser ! In addition to our official alpine packages, we are now offering aur packages for archlinux as an official distribution channel. .deb and .rpm packages are coming soon on @cloudsmith

Look familiar? If you’d like a refresher on best practices for tackling Poisoned Pipeline Execution, we’re running through OWASP’s CI/CD Top 10 risks with advice on how to deal with these types of unauthorised executions. Check out Part 4: cloudsmith.com/blog/owasp-ci-… Download the free guide: cloudsmith.com/campaigns/guid…

Is vibe coding more of a risk than a vibe? “Without security-aware tooling or policy enforcement, enterprises could end up unknowingly introducing vulnerabilities.” — said Nigel Douglas to The New Stack. Read more: thenewstack.io/vibing-dangero…

“We wanted a product that was easy to use and hard to misuse.” 🎥 Listen to our CTO Lee Skillen discuss the mindset behind building for critical use: simple, secure, and cloud-native from day zero.

To help you combat the rise in seemingly harmless malicious packages, we’ve broken down some best practices in Part 3 of the Cloudsmith and OWASP CI/CD Top 10 series on Dependency Chain Abuse. Read the blog: cloudsmith.com/blog/owasp-ci-… Download the free guide: cloudsmith.com/campaigns/guid…

If you’re looking to reduce exposure from over-permissive roles, stale access, or shared credentials, reviewing identity and access management best practice could make all the difference. In Part 2 of our OWASP CI/CD Top 10 series, we’re looking at CICD-SEC-2: Inadequate Identity and Access Controls. Read the blog: cloudsmith.com/blog/owasp-ci-… Download the free guide: cloudsmith.com/campaigns/guid…

As software supply chain threats grow, securing your CI/CD pipeline is critical. Join Esteban Garcia (Principal Engineer, Cloudsmith), Liana Ertz (Product Manager, Cloudsmith), and Jason van Zyl (Senior Engineering Manager, Chainguard) for a 30-minute session covering: ➡️ Techniques for signing and verifying artifacts with open-source tools (SBOMs, provenance data) ➡️ Enforcing security policies to block unverified software from production ➡️ Managing and storing signed artifacts in CI/CD pipelines using Cloudsmith & Chainguard ➡️ Ensuring compliance with audit logs, tamper-proof metadata, and secure artifact lifecycle management 📅 June 3, 2PM EST — 30 minutes Live Q&A included | Recording sent to all registrants Register here ➡️   cloudsmith.com/webinars/unloc… #CICDSecurity #DevSecOps #Chainguard #Cloudsmith #OpenSourceSecurity #SoftwareDelivery #DevTools #Webinar #ArtifactSigning

Use CodeQL to detect vulnerabilities? Until recently, there was a big one hiding in plain sight. Researcher John Stawinski discovered a vulnerability (now patched) in the GitHub Action used by CodeQL. Check out the full article from DevClass here: devclass.com/2025/04/02/the… #SoftwareSupplyChain #DevSecOps #ArtifactManagement #GitHubActions

Scrambling to pull together chain of custody for security audits? See how Diligent transformed its secure software delivery with Cloudsmith: cloudsmith.com/customers/clou… #SoftwareSupplyChain #DevSecOps #ArtifactManagement #SBOM

Attackers are increasingly targeting containers, artifact registries, and CI/CD pipelines, burdening DevOps orgs with more responsibility to secure build processes. In our 30-minute live webinar - State of the Union: Modern Security Approaches for the Software Supply Chain - Michael Donovan (VP of Product, Docker, Inc), Ralph McTeggart (Principal Engineer, Cloudsmith), and Jack Gibson (Senior Software Engineer, Cloudsmith) will discuss: 🔹 Real-world examples of attacks on containers and CI/CD workflows 🔹 How to secure your artifact lifecycle from build to deploy 🔹 Why SBOMs, signing, and provenance matter more than ever Save your seat for May 27 👉 cloudsmith.com/webinars/state… #Docker #Cloudsmith #CyberSecurity #DevSecOps #Containers #CI/CD #SBOM

Aiming to achieve SLSA Level 2? A cloud-native artifact management platform lets you enforce immutability, track artifact provenance, and control who can publish what. Read more: cloudsmith.com/blog/slsa-a-ro… #SLSA #SoftwareSupplyChain #DevSecOps

Most enterprises have dozens of software development teams Best practice is to build policy checks directly into artifact management, so every package that enters your pipeline is secure, compliant, and production-ready by default. See how it works: cloudsmith.com/blog/streamlin… #SoftwareSupplyChain #DevOps #ArtifactManagement #CICD