Operations | Monitoring | ITSM | DevOps | Cloud

The Artifact Management Market Is Up For Grabs

The enterprise artifact management market - which has belonged for a while to JFrog and Sonatype - is now truly up for grabs. Cloudsmith was built on the core principle that cloud-native architecture matters. So does simplicity in design and workflow. Partnerships matter, too. We’ve built a comprehensive platform that controls and secures every artifact as it’s built, scanned, signed, stored, and shipped across the software supply chain.

Self-hosted runners vs cloud CI/CD: A complete decision guide

Your CFO just asked about operational efficiencies across the engineering org. Tooling budgets are under the microscope, and suddenly CI/CD costs are getting attention. Sound familiar? When the pressure’s on to cut software spend, CI/CD often looks like a tempting target. It’s visible, measurable, and seemingly easy to move.

SwiftPM, CocoaPods, and the Future of Enterprise Development for Apple Platforms

Swift is the default and preferred language for developing applications within the Apple ecosystem. The Swift Package Manager (SwiftPM) has become the de-facto dependency manager for Swift, enabling developers to share and reuse code effortlessly. While its elegance lies in its simplicity, there’s a common concern about integrating SwiftPM into robust, enterprise-grade development workflows. This is where JFrog Artifactory shines.

Is it time to switch CI/CD platforms? 7 warning signs

Every engineering team eventually faces this question: “Is our CI/CD setup actually helping us, or is it getting in the way?” The answer isn’t always obvious. CI/CD problems often develop gradually: small issues become accepted workarounds, and those workarounds become standard practice. What once worked well for your team might not fit your current needs or scale. The decision to evaluate new tooling usually builds over time as pain points accumulate and priorities shift.

Understanding Playwright test hooks in the CI context (JavaScript) - A complete tutorial

All applications need some form of testing, whether frontend, backend, stress testing, or any other. Playwright can help. Playwright is an end-to-end testing framework for web applications, supporting cross-browser testing (Chromium, Firefox, WebKit) from a single API. Its built-in test runner (Playwright Test) provides hook functions to manage set-up and tear-down logic around your tests.

Validating OS-compatibility for locally-run LLMs using Ollama with CI/CD matrix workflows

Large Language Models (LLMs) are becoming increasingly accessible, with regular adoption of open-source models and the growing ecosystem of tools for running them locally. Compact versions are now able to run on consumer-grade hardware, so developers are using LLMs on personal devices like Linux workstations, macOS laptops, or even Windows machines. As this trend grows, so does the need to ensure that your LLM-powered applications run reliably across all major operating systems.

Evolving deployments in Bitbucket Pipelines: Concurrency Groups and Environments

We’re excited to announce that Bitbucket Cloud is introducing two powerful new features in Bitbucket Pipelines: Concurrency Groups and Environments. These enhancements are part of a broader initiative to make the Deployments functionality more flexible and user-friendly by breaking down its current monolithic structure into smaller, more granular capabilities that you can control directly.

Adding AI to applications using the Model Context Protocol

Large Language Models (LLMs) are now at the cutting edge of mainstream AI systems. Their impact has been seismic, sparking a new gold rush as application developers transform the user experience away from clicks and commands into natural language and advanced automation. However, application developers have a barrier to overcome. AI models need data to reason and respond to a particular application domain.

Risk and the problems of 3rd party software dependencies

Docker's VP of Product, Michael Donovan, discusses the importance of risk management and the security challenges introduced by the scale of 3rd party software dependency in development. See the full webinar: https:/cloudsmith.com/webinars Get to know Cloudsmith: About Cloudsmith We offer the world's best cloud-native artifact management platform to control, secure, and distribute everything that flows through your software supply chain. Cloudsmith operates at enterprise scale, reduces risk, and streamlines builds.

OWASP CI/CD Part 8: Ungoverned Usage of 3rd Party Services

The boundaries of what organizations build internally and what they adopt externally have blurred. Developers routinely integrate third-party services into critical CI/CD pipelines, often with minimal friction and limited oversight. This rapid plug-and-play convenience, while key to modern engineering velocity, is also quietly expanding the attack surface in ways many teams struggle to track - let alone govern.

Using a Kubernetes credential provider with Cloudsmith

Join Ian Duffy, Senior Site Reliability Engineer at Cloudsmith, as he discusses using credential providers in Kubernetes to securely pull images from private repositories. Credential providers are a great new feature that appeared in recent versions of Kubernetes. They allow you to pull images using a short-lived authentication token, which makes them less prone to leakage than long-lived credentials - bolstering security in the software supply chain.

Goodbye imagePullSecrets, Hello Kubernetes Credential Providers

Previously, we showed you how to securely pull Docker images from Cloudsmith to Kubernetes using OIDC with a CronJob-based approach. We concluded the post discussing credential provider plugins from Kubernetes 1.20 and an enhancement in Kubernetes 1.33 that offers a new approach for external registries like Cloudsmith. We have now built a credential provider that takes advantage of this new capability. This article explores what this means for the future of pulling images from Cloudsmith on Kubernetes.

AI is now writing code at scale - but who's checking it?

As Generative AI (GenAI) reshapes the software development landscape, the risks and complexities around managing what gets built, where it comes from, and how it’s secured are growing just as fast. The Cloudsmith 2025 Artifact Management Report dives into this shift, offering critical insights into how teams are adapting their infrastructure and software supply chain security practices in response to the AI-generated code.

DevEx Unpacked 006 - Leadership, Scaling & Serving Developers with Glenn Weinstein

Episode 006: In this episode of DevEx Unpacked, Cloudsmith co-founder Alan Carson sits down with CEO Glenn Weinstein for a deep dive into leadership, growth, and developer-first thinking. Glenn shares his journey from programming on a Commodore PET to founding and selling a startup, his lessons from Twilio, and what drew him to lead Cloudsmith. The two discuss what it takes to build a category-defining company from Belfast, navigating VC funding, and how values like resilience, clarity, and service drive long-term success.

CVE-2025-3248: Serious vulnerability found in popular Python AI package

Researchers at Trend Micro have uncovered a critical unauthenticated remote code execution (RCE) vulnerability affecting Langflow versions prior to 1.3.0. Langflow is a Python-based visual framework for building AI applications and boasts over 70,000 stars on GitHub and over 21,000 global weekly downloads from the public PyPI upstream. Source: Cloudsmith Navigator Versions released before 1.3.0 contain a serious flaw in the code validation logic, which allows arbitrary code execution.

OWASP CI/CD Part 7: Insecure System Configuration

Insecure system configuration is a textbook example of how neglected settings can create an entry point for attackers targeting your CI/CD pipelines. It’s rarely the cutting-edge zero-day that causes a breach. More often, it’s the unpatched service, the overly permissive role, or the default password that was never changed. While this risk overlaps with CI/CD credential hygiene (covered in Part 6 of our OWASP CI/CD series), the focus here is much broader.

DevEx Unpacked 005 - Secure DevOps, Rego Policies & Growing Cloudsmith with Ciara Carey

Episode 005: In this episode of DevEx Unpacked, Alan Carson chats with Ciara Carey, Solutions Engineer at Cloudsmith, about her career journey from developer to DevRel to her current customer-facing role. Ciara shares real-world insights on software supply chain security, how teams are using Enterprise Policy Management (EPM) to control open source risk, and why Cloudsmith’s cloud-native platform is a game changer for DevSecOps workflows.

Kubernetes sidecar deployment using CircleCI

Kubernetes excels at managing complex, containerized systems, and one of its most impactful patterns is the sidecar. Sidecar containers extend applications by running supplementary processes in tandem. This modular architecture enables enhanced observability, networking, or security layers — all without changing the core application code. Continuous Integration and Continuous Deployment (CI/CD) practices are key to reliably shipping these configurations.

DevEx Unpacked 004 - Scaling Startups, Blockchain & Developer Culture with Jack Spargo

Episode 004: In this episode of DevEx Unpacked, Alan Carson chats with Jack Spargo, CTO of Control Alt, about his fascinating career journey from aerospace engineering to leading blockchain-powered investment platforms. Jack shares lessons from being acquired overnight, the challenges of building a platform from scratch, and why he’s betting big on junior engineers and AI augmentation. They explore the realities of compliance, software supply chain security, and why Northern Ireland is fast becoming a serious start-up hub.

Automating machine learning security checks using CI/CD

Machine learning (ML) pipelines are increasingly being treated like software; built, tested, deployed, and monitored using automated tooling. But while infrastructure as code and microservices have matured with security best practices, ML systems often lag behind. The truth is, your ML pipeline is part of your software supply chain and it is vulnerable.

Build an AI-powered Golang code review agent with CircleCI and GitHub webhooks

Code reviews are a crucial step in maintaining code quality, but many developers find them tedious and inconsistent. What if you could get helpful feedback automatically, as soon as a pull request is opened? In this tutorial, you’ll learn how to set up and integrate an AI-powered code review agent into your Go project. The agent uses the OpenAI API to post contextual suggestions and praise directly on pull requests.

DevEx Unpacked 003 - Scaling Cloudsmith, Security Innovation & Developer DNA with Tom Gibson

Episode 003: In this episode of DevEx Unpacked, Alan Carson sits down with Tom Gibson, Principal Engineer and long-time Cloudsmith team member, to trace his journey from early start-up to leading strategic innovation in the CTO’s office. Tom shares behind-the-scenes stories about engineering through scale, building continuous security scanning, and what it takes to evolve a developer-first platform.

Supercharge your iOS and MacOS development: CircleCI offers M4 Pro resources

For developers building on iOS and macOS, building the most performant software means having access to the latest Mac resources to quickly build, test, and deploy software. Apple’s newest M4 Pro chip represents yet another significant leap in Apple Silicon performance, delivering unprecedented speed and efficiency for development teams.

DevEx Unpacked 002 - DevRel, Donuts & Distributed Systems with Dan McKinney

Episode 002: In this episode of DevEx Unpacked, Alan Carson sits down with Dan McKinney, one of Cloudsmith’s earliest team members and now Head of Solutions Engineering. Dan reflects on his unique journey from writing docs and filming DevRel videos to leading high-stakes enterprise sales. Discover how Cloudsmith scaled from a two-person start-up to a platform trusted by global enterprises, why software supply chain security is more urgent than ever, and what features make developers and security teams lean in.

Achieving Sovereign AI with the JFrog Platform and NVIDIA Enterprise AI Factory

Sovereign AI ensures control over AI/ML data, models, and infrastructure, which is now essential for enterprises, regulated industries, and national interests. JFrog and NVIDIA have collaborated to deliver a secure, scalable solution for sovereign AI. NVIDIA provides the accelerated computing and AI software while JFrog ensures trusted DevSecOps and MLOps practices across the entire AI lifecycle, from model development and security scanning to deployment at the edge and in air-gapped environments.

OWASP CI/CD Part 6: Insufficient Credential Hygiene

This post, part six of our OWASP CI/CD Top 10 series, looks at some of the common risks associated with Insufficient Credential Hygiene. By better understanding the flaws that affect credential hygiene, we can better understand how even the most sophisticated pipelines were compromised.

DevEx Unpacked 001 - Scaling Secure Software with Alison Sickelka

Episode 001: In this inaugural episode of DevEx Unpacked, host Alan Carson sits down with Alison Sickelka, VP of Product at Cloudsmith, for a deep dive into the evolution of software supply chain security. Alison shares her journey from journalism to product leadership, the unique talent landscape in Belfast, and how Cloudsmith is pioneering secure artifact management. Learn how Cloudsmith's Enterprise Policy Management is shaping compliance strategies, why SBOMs are crucial, and where AI fits in a secure DevOps future.

Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

Open-source package repositories like the Python Package Index (PyPI) play a crucial role in software development. However, these platforms are also potential targets for malicious actors attempting to exploit application software vulnerabilities. The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages.

CI/CD Observability with OpenTelemetry - A Step by Step Guide

In the fast-paced world of CI/CD, understanding the performance and behaviour of your pipelines is crucial. GitHub Actions has become a popular choice for automating builds and deployments, but anyone who's debugged a flaky workflow or long-running job knows how challenging it can be to get visibility into what's happening under the hood. We usually rely on build logs, timing data, or guesswork when something goes wrong.

Secure Docker Image Pulls from Cloudsmith to Kubernetes using OIDC

Pulling Docker images from private registries for containerised applications presents a security challenge. It requires authentication management, network access, and trust across distributed systems. Credentials must be securely handled and rotated, and image pulls can break due to network restrictions or expired tokens. All of this makes deployment and security harder.

OWASP CI/CD Part 5 - Insufficient PBAC

One of the more overlooked yet critical vulnerabilities highlighted in the OWASP Top 10 for CI/CD Security Risks is Insufficient PBAC (Pipeline-Based Access Controls). Let’s unpack what PBAC is, why it's essential, and how you can leverage modern access control tools like Open Policy Agent (OPA) and Rego to mitigate these risks effectively.

Open Container Initiative (OCI) Support in Cloudsmith

Kubernetes has become the de facto platform for orchestrating containers. Open standards complement Kubernetes by defining best practices for its implementation. These standards are developed by the open-source Kubernetes community (not a single vendor), ensuring vendor neutrality, easier integration with other tools, and overall system efficiency.

Multiple Malicious Packages Discovered on PyPI, npm, and RubyGems

Evidence of broad and sustained attacks using several npm, Python, and Ruby packages continues to emerge. A series of malicious packages have been added to the npm, PyPI, and RubyGems package repositories. The attacks have been ongoing for some time, with some seeded years ago. Their aims are manifold, including stealing funds from crypto wallets, deleting codebases, and obtaining Telegram messaging data.

Hyperparameter tuning for LLMs using CircleCI matrix workflows

Hyperparameter tuning is a critical step in optimizing large language models (LLMs). Parameters such as learning rate, batch size, weight decay, and number of training epochs can significantly affect convergence behavior and final model performance. While several approaches like grid search or random search are widely used, executing them manually is inefficient; especially when each training run is compute-intensive.

Docker Hardened Images for tightened security and strong provenance

Docker's VP of Product, Michael Donovan, gives a quick overview of Docker Hardened Images and how they make open source software available in a hardened image container. They're minimal images with less attack surface and SLSA level 3 artifact compliance. They carry extensive provenance data, including SBOMs, CVEs, and VEX. Be confident that your software is safer from attack using Docker Hardened Images and Cloudsmith.

Michael Donovan, VP of Product at Docker, has a hot take on shift left security

Shift left means improving security at the early stages of software development. Is it the best approach? See the full webinar: https:/cloudsmith.com/webinars Get to know Cloudsmith: About Cloudsmith We offer the world's best cloud-native artifact management platform to control, secure, and distribute everything that flows through your software supply chain. Cloudsmith operates at enterprise scale, reduces risk, and streamlines builds.