Cloudsmith has introduced a new threat intelligence capability for its software artifact management platform, enabling DevSecOps teams to better assess the security risks associated with downloading software components. The announcement, made during KubeCon + CloudNativeCon Europe, highlights a growing industry focus on strengthening software supply chain security as cyber threats continue to escalate.
The new feature allows organizations to enrich software packages with threat intelligence data, including known malware indicators and vulnerability insights sourced from initiatives such as the Open Software Security Foundation (OpenSSF). By embedding this intelligence directly into software artifacts, DevSecOps teams gain deeper visibility into potential risks before integrating components into development pipelines.
As software supply chain attacks become more frequent, organizations are increasingly recognizing the need for proactive security measures. According to Cloudsmith, 44% of organizations have already experienced a security incident caused by a third-party dependency, while an additional 39% report near misses. These figures underscore the urgent need for more robust controls within modern DevSecOps workflows.
A key capability within the platform is the automated evaluation of software bills of materials (SBM) and OMs. This allows teams to identify unsafe transitive dependencies, detect non-compliant licenses, and block potentially vulnerable components before they are deployed. By integrating policy enforcement into the development lifecycle, organizations can reduce exposure to exploitable vulnerabilities without relying solely on manual review processes.
The system leverages Open Policy Agent (OPA), an open-source policy engine governed by the Cloud Native Computing Foundation (CNCF), to enable automated decision-making. For example, newly published packages can be quarantined until they are fully vetted, while components with high-risk scores based on the Exploit Prediction Scoring System (EPSS) can be automatically restricted. When access is denied, developers receive real-time guidance through their command-line interface (CLI), helping them take corrective actions or request exceptions efficiently.
Nigel Douglas, head of developer relations at Cloudsmith, emphasized that the goal is to simplify the enforcement of security policies while maintaining developer productivity. By providing actionable insights and automated controls, the platform helps organizations strike a balance between speed and security in software delivery.
The need for such solutions is further amplified by the rapid adoption of AI in software development. As AI-driven coding tools accelerate code generation, they also increase the risk of introducing vulnerabilities from external repositories. This growing complexity places additional pressure on DevSecOps teams to implement scalable, automated security frameworks.
Regulations are becoming more stringent at the same time. Organizations are being forced to implement more stringent DevSecOps procedures by frameworks like the European Union’s Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA), which makes compliance a crucial factor in security expenditure.
As the volume of code continues to grow in the age of AI, enforcing consistent security policies will be essential to minimizing risk. Cloudsmith’s latest enhancement reflects a broader industry shift toward intelligent, policy-driven security models that enable organizations to safeguard their software supply chains without slowing innovation.
Recommended Cyber News :
- Mobileum Launches AI Fraud Detection at Grameenphone
- SOCRadar Unveils AI Agent Marketplace to Transform Threat Intelligence
- Meditology Services Acquires CORL Technologies to Boost Third-Party Risk Management
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
