Cooldown policies - Block malicious packages at the index
Every dependency pull is a trust decision. Public registries don't vet what they serve.
Cooldown policies give you a gate at the moment that matters most: when a package first enters your environment. Dan McKinney (Solutions Engineering Manager) walks through how Cloudsmith's cooldown policies work and how to configure one in under five minutes.
What Dan covers:
- Why new packages represent the highest-risk window in your supply chain
- How cooldown policies hold packages until threat intelligence catches up
- How to configure a cooldown policy using the built-in template
- How to set your cooldown period, scope it to specific repos, and handle existing cached packages
- What compliant and non-compliant package installs look like in practice
Cooldown policies close a specific gap: the time between when a bad package is published and when your other tools catch up. Cloudsmith gives you pre-ingestion control, continuous reevaluation as new threat data comes in, and a clear record of what entered your environment, under what policy, and when.
Timestamps:
0:00 - Why public registries lack admission controls
1:09 - How cooldown policies work
1:25 - Creating a cooldown policy in Cloudsmith
2:00 - Setting the cooldown period and scoping repositories
2:34 - Enabling the policy
2:41 - Live demo: package install with cooldown active
3:45 - What cooldown policies protect against
Ready to see how cooldown policies fit your team's setup? Book a demo or start a free trial today. https://cloudsmith.com/book-a-demo
#Cloudsmith #SoftwareSupplyChain #DevSecOps #ArtifactManagement