Operations | Monitoring | ITSM | DevOps | Cloud

Enterprise Policy Management with Cloudsmith

Enterprise Policy Management (EPM) is a programmable policy-as-code layer that controls the security, compliance, and flow of artifacts across the software supply chain. Teams can codify rules once and apply them continuously across repositories. With Cloudsmith’s platform, organizations extend policy enforcement across teams, environments, and geographies without introducing friction, including the open source packages that the chain depends on.

Enterprise Policy Management Example: Quarantine Packages Using Policy as Code

Cloudsmith built Enterprise Policy Management (EPM) on Open Policy Agent (OPA) and uses Rego to define policies as code. These policies control how packages move through your systems. They're versioned, reviewable, and enforceable. EPM is in early release, but it already draws on extensive metadata Cloudsmith collects from your artifacts: format, version, tags, license, vulnerability, malware scan results, and digital signatures.

Data governance frameworks for distributed microservices applications

Implementing robust data governance in microservices architectures presents unique challenges and opportunities. As organizations decompose monolithic applications into distributed services, traditional centralized data management approaches no longer suffice. Each microservice may manage its own data store, creating potential inconsistencies, compliance risks, and security challenges.

Microservices versus monoliths

Monolithic and microservices architectures represent two fundamentally different approaches to software design. By understanding the benefits and drawbacks of each architectural style, developers can make informed decisions about which approach best fits their application needs. While monolithic architecture bundles all application functionality into a single deployable unit, microservices architecture breaks the application into smaller, independently deployable services.

Strangler pattern implementation for safe microservices transition

Moving from monolithic applications to microservices represents a significant architectural transformation. The Strangler Pattern offers a controlled, incremental approach to this migration, enabling organizations to gradually replace functionality while keeping systems operational throughout the transition. This methodology substantially reduces risk compared to complete rewrites, making it an invaluable strategy for organizations with business-critical applications.

Measuring success in microservices migration projects

Microservices migrations represent significant investments for organizations seeking greater agility, scalability, and development velocity. Yet without clear metrics to guide the journey and measure outcomes, these initiatives risk delivering technical change without meaningful business impact. Establishing appropriate success measures ensures that migration efforts stay aligned with organizational goals while providing visibility into progress and value delivery.

Find and fix CI build errors with AI

Software teams rely on CI/CD pipelines to build, test, and deploy code quickly. But when a build fails, it can disrupt the entire workflow. Digging through logs, chasing down errors, and switching between dashboards takes time you don’t want to waste. In this tutorial, you’ll learn how to use your AI coding assistant — powered by structured data from your CI system — to diagnose and fix build failures faster.

The value of product thinking for platform teams | webinar

Platform engineering can drive velocity, reduce risk, and increase value — but only if it's built with a product mindset. In this live event, Rob Zuber, CTO of CircleCI, hosts a panel of experts to explore how treating developers as customers helps platform teams deliver greater outcomes. Featuring Camille Fournier, Randy Shoup, Raju Gandhi, and Teresa Torres, this webinar covers practical strategies for building internal platforms that earn trust, abstract complexity, and fuel developer productivity.

JFrog's Journey with AWS Graviton

Every business strives to optimize operational costs and efficiency. In the DevOps world, where cloud-scale operations are the norm, this becomes even more critical. At JFrog, while delivering a robust and highly scalable SaaS solution to our customers, we are equally focused on optimizing operational costs and maximizing infrastructure efficiency.

OWASP CI/CD Top 10: Inadequate IAM

In the race to ship software faster, many teams have turned to automation, decentralised tools, and powerful pipelines. But lurking under the surface of these streamlined processes is a growing and often invisible Identity and Access Management (IAM) threat vector. — a core vulnerability in modern CI/CD security.

Build a scalable internal developer portal with Backstage and CircleCI

Internal developer portals (IDPs) have become essential tools in platform engineering, helping standardize developer workflows and reduce friction by providing self-service access to tools, APIs, and infrastructure. During my time on a platform team, I experienced firsthand the transformative power of IDPs. Our team implemented custom solutions that significantly reduced load on developers, allowing them to focus on writing code rather than navigating complex infrastructure.

Now Available: Smart Archiving with the JFrog Platform

Every day development teams around the world release new software. But what happens to prior releases that are no longer in production? Most organizations save them, typically due to internal policies, external regulations, or simply the fear of losing data. Organizations typically take varied approaches to retaining their prior releases.

Preventing harmful LLM output with automated moderation

Large Language Models (LLMs) can produce impressive text responses, but they’re not immune to generating harmful or disallowed content. If you’re developing an LLM-powered application, you need a reliable way to detect and block risky outputs. Disallowed content – hate speech, explicit descriptions, harmful instructions – can damage your product’s reputation, endanger user safety, and potentially violate legal or platform guidelines.

Introducing Support for Chocolatey and PowerShell Packages

In February, we announced our support for Hex packages, which further solidified the JFrog Platform as the most universal package management solution. We’re excited to announce we’re continuing to build on our universality with our new official support of Chocolatey and PowerShell, which allows both technologies to be used with our NuGet repositories in JFrog Artifactory.

Automating vulnerability scanning for Gradle dependencies with CircleCI

Detecting dependency vulnerabilities in a Gradle-based project is crucial because it prevents applications from using libraries (dependencies) with security holes. Imagine an application as a house. Each dependency, or library used in the project, is like building material (such as wood, glass, or bricks). If there’s a flawed or easily penetrable material, the house can become unsafe, such as being more vulnerable to thieves or collapsing during an earthquake.

OWASP CI/CD Top 10: Inadequate Flow Control in CI/CD Pipelines

With the recent shake-up around CVE funding and broader questions about long-term support for cybersecurity infrastructure, one thing is clear: controlling what you can is more important than ever. This is abundantly clear in modern software development practices which rely heavily on CI/CD systems, which in turn serve as the primary conduit from a developer’s local environment to production.

CI/CD preprocessing pipelines in LLM applications

In Large Language Model (LLM) applications, the quality of the training data is paramount in determining the final model performance. One of the most important steps in preparing datasets is cleaning and transforming raw data into similar and usable formats. However, this process can be tedious and time-consuming when done manually. Automating these data cleaning workflows is essential to improve efficiency and maintain consistency across multiple datasets.

Creating and testing a RAG-powered AI app with Gemini and CircleCI

Have you ever asked an AI model a question and received an outdated or completely off-base response? I’ve been there too. The problem is that most AI models rely solely on their pre-trained knowledge, which becomes obsolete over time. This is where RAG can help: RAG is a hybrid AI technique that combines the advantages of retrieval systems and generative models. It bridges the gap by bringing in real-time information from external knowledge sources to improve the generation quality.

Introducing token rotation for access tokens

As part of Atlassian’s ongoing investment in security, we’re excited to introduce token rotation for access tokens in Bitbucket Cloud. Building on recent updates, like adding expiration dates to access tokens, this new capability allows you to rotate your tokens, which generates a new secret while maintaining the same access and scopes.

Scaling up to 1 Million Requests per Minute: How Cloudsmith Delivers Extreme Performance

CI/CD pipelines don’t wait. When traffic surges and your artifact platform can’t keep up, it’s not just a few slow requests: builds fail, deploys become backlogged, and engineers lose confidence. We’ve seen it all: 502s from overloaded VMs, minutes-long pulls, and pipelines grinding to a halt. That’s why we built Cloudsmith to scale by default; no one should have to firefight with their registry at 2 a.m.

Full Support for Arbitrary Files in Maven Repositories with Cloudsmith

We're excited to announce a major enhancement to our Maven repository support at Cloudsmith. As a Java developer, you can now upload and distribute arbitrary files using Maven repositories, unlocking more flexible and powerful workflows for your projects. Arbitrary files are files that are ignored by Maven unless explicitly included in the Project Object Model (POM) / pom.xml configuration.

Reproducible Builds, Fedora 43, and What It Means for the Software Supply Chain

April 2025 has brought some important news in the world of open source and software supply chain security: Fedora has announced a change proposal to make 99% of its package builds reproducible in its upcoming Fedora 43 release. At first glance, this might seem like a low-level Linux packaging detail. But in reality, this is part of a much bigger shift that touches anyone who builds, ships, or consumes software - including us at Cloudsmith and the developers and enterprises who rely on us.

Managing EKS deployments with CircleCI deploys

Development teams managing Kubernetes-based applications face challenges in maintaining visibility and control over their deployment processes. Without a centralized interface, teams struggle to track, monitor, and manage releases across their Kubernetes clusters, leading to potential deployment errors, and difficulties in maintaining consistent deployment workflows.

7 tips for effective system prompting

Looking to get the most out of AI tools? In this video, we walk through 7 practical tips for writing effective system prompts that lead to more accurate, helpful, and context-aware responses. Whether you're building with LLMs or just refining your workflows, these tips will help you structure your prompts for success. Watch the full walkthrough and start improving your prompting strategy today.

CircleCI MCP server: Natural language CI for AI-driven workflows

The pace of software development has changed. With AI coding assistants now embedded into engineering workflows, developers are building faster, shipping sooner, and writing more code than ever before. But as velocity increases, so does the complexity of keeping that code running. When builds fail, developers need answers fast. They need clarity, context, and actionable feedback right where they’re working.

Kubernetes 1.33 - What you need to know

Kubernetes 1.33 is right around the corner, and there are quite a lot of changes to unpack! Removing enhancements with the status of “Deferred” or “Removed from Milestone” we have 64 Enhancements in all listed within the official tracker. So, what’s new in 1.33? Kubernetes 1.33 brings a whole bunch of useful enhancements, including 35 changes tracked as ‘Graduating’ in this Kubernetes release.

Four reasons to explore a migration from Bitbucket Data Center to Bitbucket Cloud

With built-in CI/CD, native security tools, integrated planning, and AI agents, Bitbucket Cloud helps organizations accelerate productivity, improve engineering standards, and enhance collaboration across developers, operations and business teams. Moving to the cloud also helps lower costs by freeing up hardware budgets and IT resources. And you can rest easy knowing developers will stay productive on a secure and reliable platform. Curious about exploring a migration to Cloud?

SLSA: A Route to Tamper-Proof Builds and Secure Software Provenance

SLSA (Supply-chain Levels for Software Artifacts, pronounced ‘salsa’) is a progressive, industry-backed software security framework that safeguards software integrity throughout the development and delivery lifecycle. SLSA adoption is ramping up in industries where trust isn’t optional. As dependencies proliferate and threats multiply, SLSA provides a solid, structured path to prove that software is secure by design.

Building a Software Data Retention Strategy and Why You Need One

Every day, your developers are pushing software. Some of that software will make it to production, but many of those incremental builds will not. While you shouldn’t remove those incremental builds and old release versions haphazardly, if left unchecked, they can clog up your software repositories as well as the workflows and systems they serve.

How to use LLMs to generate test data (and why it matters more than ever)

The way software is written is changing fast. In the past few years, AI coding assistants and large language models (LLMs) have gone from novelty to necessity for many developers. Tools like Cursor, ChatGPT, and custom in-house models are helping teams generate boilerplate, scaffold features, and even build entire apps within minutes. It’s exciting. But it also raises the stakes. When code is written faster, it’s deployed faster.

Cloudsmith introduces EPSS Scoring in Enterprise Policy Management (EPM)

Cloudsmith’s Enterprise Policy Management (EPM) now supports the Exploit Prediction Scoring System (EPSS), a data-driven metric designed to estimate the probability of a software vulnerability being exploited in the wild. Using EPM in Cloudsmith, you can now use a package’s EPSS score to inform your package workflows, including those around Package Promotion and Package Quarantine.

CircleCI deploys: Enterprise-scale deployment automation with zero downtime

Discover how CircleCI enables enterprises to safely manage thousands of daily deployments at scale. In this short demo, we showcase: Learn how CircleCI Deploys eliminates manual intervention while ensuring production stability. Perfect for DevOps teams looking to automate deployment workflows and implement progressive delivery strategies in enterprise environments.

Benchmarking Kotlin Coroutines performance with CircleCI

A benchmark can be interpreted as a standard of comparison used to assess something. In everyday life, for example, when we want to buy a new cellphone and want to know which one is faster, we can see the speed test (benchmark) by measuring how fast the cellphone opens applications or runs games. From there, we can compare which cellphone is better based on the numbers produced.