Security Scanning

Cloudsmith Security Scanning will automatically scan supported package types for CVEs upon upload of a package. You can also trigger subsequent scans manually via the Web UI, and via the Cloudsmith API.

You can use the results of a Cloudsmith Security Scan to drive other actions such as to quarantine a package, or as part of a package promotion workflow.

Scan results are available via the Web UI, the Cloudsmith API or even as a Webhook.

Supported Formats

Cloudsmith's Security Scanning feature is available for the following package formats:

Data Sources

Security Scan Results

The results of a security scan are available from the Cloudsmith Web UI, the Cloudsmith API and also via a Webhook.

Scan results via the Cloudsmith Web UI

You can find an overview of all the packages that have been scanned, or are awaiting an additional scan via the "Security Scanning" page in any repository:

The Security Scanning page shows a breakdown of the number of packages scanned/not scanned, the age of scans (how long ago they were performed) and the pass/fail count overall.

For each listed package, you can also see the number of vulnerabilities found and the maximum severity of those found.

For more information and details, you can view the individual vulnerabilities found on the "Scans" tab on any package detail page:

Scan results via the Cloudsmith API

You can use the Cloudsmith Vulnerabilities API endpoints to return the scan results for an entire organization account, a specific repository, an individual package or just a single scan id.

Scan results via Webhook.

Please see our Webhooks documentation for details of how to create a webhook and the full range of package events that are supported.

Performing additional security scans

You can perform additional security scans after the scan that is performed when the package is uploaded using the Cloudsmith UI or API.

Additional security scans via the Cloudsmith Web UI

You can select one or more packages that you wish to security scan in the packages list in any repository:

You can also scan an individual package from the package details page:

Additional security scans via the Cloudsmith API

You can request an additional security scan for a package using the packages_scan API endpoint.


Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)