Operations | Monitoring | ITSM | DevOps | Cloud

Open Container Initiative (OCI) Support in Cloudsmith

Kubernetes has become the de facto platform for orchestrating containers. Open standards complement Kubernetes by defining best practices for its implementation. These standards are developed by the open-source Kubernetes community (not a single vendor), ensuring vendor neutrality, easier integration with other tools, and overall system efficiency.

Docker Hardened Images for tightened security and strong provenance

Docker's VP of Product, Michael Donovan, gives a quick overview of Docker Hardened Images and how they make open source software available in a hardened image container. They're minimal images with less attack surface and SLSA level 3 artifact compliance. They carry extensive provenance data, including SBOMs, CVEs, and VEX. Be confident that your software is safer from attack using Docker Hardened Images and Cloudsmith.

Michael Donovan, VP of Product at Docker, has a hot take on shift left security

Shift left means improving security at the early stages of software development. Is it the best approach? See the full webinar: https:/cloudsmith.com/webinars Get to know Cloudsmith: About Cloudsmith We offer the world's best cloud-native artifact management platform to control, secure, and distribute everything that flows through your software supply chain. Cloudsmith operates at enterprise scale, reduces risk, and streamlines builds.

OWASP CI/CD Part 4: Poisoned Pipeline Execution (PPE)

Modern development teams often rely on Continuous Integration (CI) pipelines to automate testing, building, and deployment of their code These pipelines are typically defined through configuration files stored within the source code repository. Developers, DevOps engineers, or other contributors with the appropriate permissions frequently need to edit these files to adjust workflows, add new checks, or support evolving project requirements.

Securing Containers at Scale: Docker Hardened Images + Cloudsmith

Containers have been with us for a while and are ubiquitous in the Secure Software Development Life Cycle (SSDLC). According to some reports, nearly 60% of organizations use containers for most or all of their production applications. It’s no surprise really, as containers provide consistency and standardization across the lifecycle while speeding up delivery pipelines. They revolutionized how we develop and deploy apps in the cloud and there is no sign of this changing anytime soon.

Securely quarantine suspect packages using Rego code with Cloudsmith's Enterprise Policy Management.

Software supply chain attacks are becoming more sophisticated, and Cloudsmith tackles this head-on with EPM. Using a set of tools, including a policy-as-code approach, you can tailor security policies to be as simple or as advanced as you need. Define any policy using Rego code and Open Policy Agent (OPA) to be highly prescriptive and catch suspect or non-compliant software artifacts before the damage is done..

XRPL Supply Chain Attack and How to Block it Using Cloudsmith's Enterprise Policy Management

Yet another supply chain attack has surfaced, this time using the xrpl library to sneak through malicious packages. xrpl.js is recognised as the recommended npm library for integrating the XRP Ledger (XRPL) with JavaScript/TypeScript applications, and has over 140k downloads a week.

OWASP CI/CD Part 3: Dependency Chain Abuse

As more teams rely on public repositories in their software supply chain, the dependency chain has become both a critical foundation and a potential blind spot. Dependency chain abuse is not new, but a growing list of attack vectors - like typosquatting, dependency confusion, and now slopsquatting - means security leaders need to respond quickly as attackers adopt new techniques.

Enterprise Policy Management with Cloudsmith

Enterprise Policy Management (EPM) is a programmable policy-as-code layer that controls the security, compliance, and flow of artifacts across the software supply chain. Teams can codify rules once and apply them continuously across repositories. With Cloudsmith’s platform, organizations extend policy enforcement across teams, environments, and geographies without introducing friction, including the open source packages that the chain depends on.