As part of our mission to make it simple to secure software at scale through Continuous Packaging, Cloudsmith is excited to announce that we have become an Open Source Security Foundation (OpenSSF) member. OpenSSF is a cross-industry forum for a collaborative effort to improve security in open source software (OSS). One software pipeline's output is another's dependency- we are all splashing around in each other's supply chains.

If you’re like many of our customers, the phrase software supply chain entered your lexicon this year. You’ve begun to feel the complexities and vulnerabilities of that supply chain. You’ve connected the dots between more reliable software delivery and business success. You’re recognizing the gains developer efficiency can have on profitability.

Continuous Integration(CI) is a software development practice where developers frequently merge the code and the changes in a central repository. The important goals of continuous integration is to find and resolve the bugs more quicker, improve the software quality, and reduce the time taken to validate and release new software updates. Continuous Delivery(CD), which is done on the top of Continuous Integration and includes the practice of automating the entire software release process and builds.

While metrics have always been fundamental to improvement in the business world, the growing prominence of DevOps in recent years has elevated their importance in the context of software development. To build a continuous improvement culture, you need a set of metrics that allows you to establish a baseline and inform where the improvement opportunities lie. Arguably the most popular of them is DORA metrics. In this post, we will focus on Deployment Frequency, one of four DORA metrics.

One of our most requested and popular features, IP ranges for the Docker executor, recently became available to all customers on a Performance or Scale plan. With IP ranges, you can route job traffic through an IP address that is verifiably associated with CircleCI. This enables your team to meet compliance requirements by limiting the connections that communicate with your infrastructure. With any new feature, you want to know how much it’s going to cost your team.

If you’ve spent any amount of time in the.NET / Microsoft developer ecosystem, you’ve probably heard the term “NuGet” in reference to code packages, package managers, software libraries, and even software installers. Understandably, this can cause a lot of confusion around what NuGet actually is.

Not long ago, developers built applications with little awareness about security and compliance. Checking for vulnerabilities, misconfigurations and policy violations wasn’t their job. After creating a fully-functional application, they’d throw it over the proverbial fence, and a security team would evaluate it at some point – or maybe never. Those days are gone – due to three main shifts.

Today we are pleased to announce that CircleCI has acquired Ponicode, a Paris-based AI engine for analyzing source code, with the goal to help developers produce better code in their local development environment. Ponicode caught our attention with their dedicated focus to helping developers handle their least favorite tasks — the toil surrounding writing code — such as authoring tests, commenting code, analyzing code quality, and more.

A few days ago, security researcher Max Kellermann published a vulnerability named DirtyPipe which was designated as CVE-2022-0847. This vulnerability affects the Linux kernel and if exploited, can allow a local attacker to gain root privileges. The vulnerability gained extensive media follow-up, since it affects all Linux-based systems with a 5.8 or later kernel, without any particular exploitation prerequisites.

Your entire tech stack is likely in the Cloud - so why aren’t your software packages?