Cloudsmith Updates Container Registry to Streamline DevSecOps Workflows
Cloudsmith at the Kubecon + CloudNativeCon Europe 2025 conference today added real-time vulnerability scanning along with an ability to automate the signing for container images, as they are cached using the open-source Cosign utility to its container registry.
The company is also updating the user interface (UI) to make it possible to track Docker image hierarchies using tags while adding an ability to generate a software bill of materials (SBOM) from within.
Finally, Cloudsmith is adding additional governance capabilities by integrating its Enterprise Policy Manager (EPM) tool with the Exploit Prediction Scoring System (EPSS), a cybersecurity community initiative that prioritizes vulnerabilities based on real-world exploitability, while at the same time ensuring container images comply with security baselines such as the NIST framework
Alison Sickelka, vice president of product at Cloudsmith, said these capabilities will make it simpler to streamline DevSecOps workflows using certified container artifacts that also serve to reduce misconfigurations. The overall goal is to make it simpler for organizations to embrace frameworks such as the Supply-chain Levels Framework for Software Artifacts (SLSA), she added.
Cloudsmith has been making a case for a managed registry that streamlines the management of binaries, images and artifacts in a way that can be integrated with existing continuous integration/continuous delivery (CI/CD) platforms. The company last month revealed it has gained an additional $23 million in funding, with 75% of revenue now coming from U.S. customers.
As compliance requirements involving software distribution become more stringent, many organizations are discovering to their chagrin that they have no centralized method for managing software binaries. That issue is about to become even more problematic as the overall amount of code being generated with the aid of artificial intelligence (AI) tools continues to exponentially increase.
Just as challenging, organizations are also now more dependent than ever on containers that are frequently updated. Unfortunately, a lot of the software encapsulated in those containers has known vulnerabilities that can be easily exploited. While it may be tempting not to worry about those vulnerabilities if a container is only running for a few minutes, the fact remains that at any given time, an organization might be running thousands of containers that could be potentially exploited by cybercriminals who now routinely scan application code for vulnerabilities. Frameworks such as SLSA, combined with a container registry, ensure that best DevSecOps practices are continuously enforced to ensure software supply chains are enforced, said Sickelka.
Inevitably, most organizations will need to modernize the way they construct software because many of the workflows used to create and deploy binaries are too fragmented to enable organizations to securely build and deploy software at scale.
There will, of course, come a day when more stringent regulations will finally force the container security issue. In the meantime, however, software engineering teams building and deploying container applications today, in the absence of any best DevSecOps practices, should assume it’s only a matter of time before there is a compromise that will be attributed to a lack of appropriate vigilance.
