Cloudsmith Inc., a startup that helps software teams manage application components, has secured $72 million in new funding.

The Series C round was led by TCV, which was also the biggest backer of the company’s previous raise last year. Cloudsmith stated in its funding announcement today that the venture fund was joined by other existing investors and Insight Partners. The company’s total outside funding now exceeds $110 million.

Developers download the open-source components they use in software projects from not only GitHub repositories but also many other sources. Artificial intelligence models, for example, are usually sourced from Hugging Face Inc.’s namesake portal. For administrators, verifying that all the open-source components used by developers meet cybersecurity requirements can be highly time-consuming.

Belfast-based Cloudsmith sells a cloud platform that eases the task. It’s a kind of app store that is optimized to store open-source projects and other software building blocks. Administrators can centrally manage those components, which is simpler than monitoring third-party repositories scattered across multiple websites. 

Cloudsmith can store not only code but also a range of other artifacts, an umbrella term for software project files. The platform is capable of hosting, among others, configuration scripts, AI models and operating systems.

Another use case that Cloudsmith supports is storing software containers. A container can comprise upwards of dozens of individual artifacts, each of which represents a potential cybersecurity risk. Cloudsmith tackles that complexity by automatically generating a software bill or materials, or SBOM, for each container. A SBOM is a file that lists a workload’s components. 

Before making an open-source component available for download, Cloudsmith scans it for known vulnerabilities. The platform determines the severity of each issue that it finds using a framework called the Exploit Prediction Scoring System. The framework estimates the likelihood that a vulnerability will be exploited by hackers in the next 30 days.

Cloudsmith also detects other issues besides vulnerabilities. According to the company, its platform scans open-source components for licensing terms that may complicate software projects. It can spot, among others, license clauses that prohibit commercial use. 

Customers can use the data surfaced by the platform to build automation workflows. For example, a company could create a policy that blocks open-source components if they contain a high-severity vulnerability. Customers write automation workflows in Rego, a specialized programming syntax optimized for tasks such as configuring cloud instances.

“AI agents generate so much software, so fast, it’s nearly impossible for humans to carefully review it all,” said Chief Executive Glenn Weinstein. “Cloudsmith has the scale, and the broad view across the open-source ecosystem, to protect enterprises against the new kinds of threats that AI-driven development introduces.”

The company will invest its new funding in feature development. In particular, Cloudsmith plans to add more cybersecurity controls and AI-powered automation capabilities.

Photo: Cloudsmith