Better Together:
Kusari and Cloudsmith
Kusari secures the build, and Cloudsmith secures the distribution. Together, they provide an end-to-end, policy-driven workflow that transforms security from a reactive chore into a proactive, automated discipline.
Continuous confidence for everyone in the chain
Developers
Devs get fast, actionable feedback from Kusari and trust that anything they pull from Cloudsmith is pre-vetted.
DevOps
DevOps teams can trust their CI pipeline and their artifact repository, which in turn enables true GitOps and automated deployment confidence.
Security & Compliance
Security teams have an end-to-end, auditable trail from source code to production deployment, all governed by automated, enforceable policies.
1. Deeper software provenance:
Kusari acts as your software detective. It traces every component back to its source, eliminating "mystery blobs" and ensuring that a typosquatted package or a compromised dependency is stopped dead in its tracks.
2. More intelligent triaging:
Instead of drowning you in "1,200" CVE alerts, Kusari’s context-aware analysis pinpoints the handful that are actual, reachable threats in your application, allowing developers to focus on what’s critical.
3. Evidence generation:
Kusari acts as a court reporter for your build. It automatically generates a tamper-proof evidence packet containing a signed SBOM, a vulnerability report (VEX), and a provenance attestation. This packet is the immutable proof of what went into your build and its security posture at that moment.
4. Continuous monitoring:
Kusari isn’t done when the build completes. It constantly checks your dependency graph for newly-discovered vulnerabilities. When the next zero-day hits, you can get right to work patching it instead of wondering which versions of which applications are affected.
Kusari is the guardian of your development pipeline
Think of Kusari as the meticulous inspector on your assembly line: operating "left" in your development lifecycle, right inside your CI/CD pipeline, to ensure that only verified, secure, and compliant code ever gets built into an artifact. Cloudsmith then consumes those software artifacts as a central store.
Kusari ensures you build the right thing.
But what happens to the artifact after it's built?
Cloudsmith is your secure vault for all software artifacts
Think of Cloudsmith as the secure, intelligent warehouse where your finished goods are stored and distributed. It takes the trusted artifacts and the rich evidence packet generated by Kusari, and adds the critical "last mile" of security and control.
1. Policy-as-code enforcement:
Cloudsmith uses the SBOM and vulnerability data from Kusari to enforce powerful, automated rules. Using its Rego-based policy engine, you can prevent developers or systems from downloading and deploying artifacts that violate your standards, whether it’s based on CVSS score, the presence of a critical vulnerability, or a non-compliant license.
2. A single source of truth:
The artifact and its corresponding Kusari-generated security evidence (SBOM, VEX) live together inside Cloudsmith. This creates a single, auditable source of truth. When a compliance auditor asks for proof, it’s all in one place, tied directly to the versioned package.
3. Control what’s consumed in the SSC:
When a new zero-day vulnerability (like Log4j) is discovered, or a piece of malware in an NPM package (like Shai-Hulud), the security team can instantly answer Kusari's question, "Where is this running?" and then use Cloudsmith to immediately block or quarantine every affected artifact across all repositories, preventing any further insecure deployments.
Cloudsmith ensures you only use the right thing.
Kusari tells you what matters in your source code. Cloudsmith uses that intelligence to control your artifacts.
Kusari
Build-time assurance
Cloudsmith
Storage & Distribution Control
Together, they empower you to ship with evidence rather than blind trust.
