Home / Companies / Cloudsmith / Blog / May 2024

May 2024 Summaries

4 posts from Cloudsmith

Filter
Month: Year:
Post Summaries Back to Blog
Cloudsmith supports Helm Charts in its package formats, serving millions of Helm charts annually and growing its customer base every month. With Cloudsmith's multi-format repository support, users can store their Helm charts alongside container images in a single, unified platform. The company added support for Helm Charts in 2019 and has since enriched that support with features like provenance, proxying, caching, license scanning, and more. Users can migrate their Helm Charts to Cloudsmith from an OCI registry using simple commands like `helm pull` and `cloudsmith push`. By storing container images and Helm charts together in a single repository, Cloudsmith streamlines Kubernetes workflows and provides a secure source for hosting and distributing dependencies.
May 30, 2024 679 words in the original blog post.
In this blog post, the authors discuss the security risks associated with long-lived credentials in CI/CD pipelines and introduce OpenID Connect (OIDC) as a better alternative for enhanced security and manageability. OIDC provides short-lived authentication tokens that minimize the risk of unauthorized access, simplify expiration management, and prevent credential reuse. The authors provide a step-by-step guide to setting up GitHub Actions with Cloudsmith using OIDC for authentication, showcasing how this approach can enhance the security of CI/CD workflows.
May 28, 2024 1,069 words in the original blog post.
The PlatformCon 2024 agenda is now live, featuring a week-long virtual event with thousands of engineers attending, as well as a hybrid IRL day called LDN Live on June 12th in London. The event includes over 130 free online talks and workshops, including six that the author will be setting reminders for: DevOps is not dead, how platform engineering teams can augment DevOps with AI, Green DevOps: Building sustainable software, Meta dogfooding: How Cloudsmith uses Cloudsmith to build Cloudsmith, Securing CI/CD pipelines with Docker Scout: A DevSecOps approach to software supply chain security, and Why women should choose platform engineering. The author is particularly interested in the talks on DevOps trends, AI applications, sustainable software development, and diversity in platform engineering.
May 24, 2024 880 words in the original blog post.
The use of long-lived credentials in CI/CD platforms is a significant security risk, as these credentials can be used to access multiple cloud accounts and lead to data leaks, account hijacking, or unauthorized access. To mitigate this risk, the NSA recommends minimizing the use of long-lived credentials by using ephemeral tokens like OpenID Connect (OIDC) and implementing strong access controls, up-to-date tools, log auditing, security scans, and proper secret management. Rob Godfrey, Senior Technical Architect at the Financial Times (FT), shares his team's experience with navigating the aftermath of a CircleCI breach, highlighting the importance of OIDC authentication, selecting tooling that supports OIDC, and implementing alternative processes to mitigate risks. The FT team identified over 14,000 environment variables to manage and rotated all their secrets after receiving an advisory from CircleCI, and since then has implemented long-term initiatives to fortify pipeline security, including OIDC integration, automated key rotation, internal infrastructure inventory, build tool selection, and training and awareness programs.
May 06, 2024 801 words in the original blog post.