CloudGate sits at the boundary of your infrastructure and inspects everything that crosses it — pip packages, npm modules, RPMs, ISOs, container images, Terraform modules — before they reach your cluster. AI scans for malicious intent. Zero trust by default.
Every pip install, docker pull, and npm install is an implicit trust decision. Most organisations make them blindly, at scale, across hundreds of developers — often in regulated or air-gapped environments where a single malicious package can be catastrophic.
A 100-node Kubernetes cluster burning through Docker Hub pull limits is a Monday morning incident waiting to happen. Every CI pipeline grinding to a halt because anonymous pulls are throttled. CloudGate proxies and caches everything — one pull from the source, served indefinitely from your internal OCI registry.
Typosquatting, dependency confusion, malicious postinstall scripts — supply chain attacks hit PyPI, npm and RubyGems hundreds of times per year. Your developers don't read every package they install. CloudGate's AI engine does, flagging exfiltration patterns, obfuscated code, and suspicious network calls before the package ever reaches your cluster.
Regulated environments — financial services, defence, healthcare, government — often mandate full air-gap. But developers still need packages. The current solution is manual, error-prone, and impossible to audit at scale. CloudGate is purpose-built for one-way transfer across data diodes: everything inspected, nothing unaccounted for.
Every artefact entering your environment passes through the same inspection pipeline regardless of type. The result is binary: it enters your trusted internal registry, or it doesn't.
Developers and CI pipelines point at CloudGate's proxy endpoints. pip, npm, docker, rpm — all traffic is intercepted transparently. No tooling changes required for end users.
CloudGate fetches from the canonical upstream source. Bandwidth is consumed once per unique version. Rate limits become irrelevant. Bandwidth costs collapse.
Trivy, Grype and OSV cross-reference against known CVE databases. Checksums verified against upstream. Package metadata validated. Licence compliance checked.
Source code and scripts are analysed for malicious intent — exfiltration patterns, obfuscated eval chains, suspicious subprocess calls, encoded payloads, and novel supply chain attack patterns that CVE databases haven't catalogued yet.
Clean artefacts are signed, stored in your internal registry, and served to downstream consumers. Threats are quarantined, logged with full forensic detail, and your security team is alerted. The developer sees a clean failure message — no guesswork needed.
Every admission is recorded. Every denial has a reason. Full SBOM generation for admitted packages. Grafana dashboards show exactly what entered your environment, when, and why it was trusted.
setup.py. Package is not published by the legitimate requests maintainers. Likely typosquatting attack targeting requests==2.31.0.Known CVEs are the tip of the iceberg. The real danger is novel attacks — typosquatted packages, dependency confusion exploits, obfuscated postinstall scripts — that haven't been catalogued yet. CloudGate's AI engine analyses code behaviour, not just signatures.
requests but is not published by the PSF-verified requests maintainers. Classic typosquatting vector.
Identifies credential harvesting, reverse shells, C2 beaconing, and data exfiltration patterns — even when obfuscated through base64, eval chains, or dynamic imports.
Catches attacks that haven't hit CVE databases yet. Dependency confusion, typosquatting, and novel attack patterns are detected by code analysis, not signature matching.
When a threat is detected, CloudGate auto-generates YARA rules to catch variants automatically. Your detection improves with every blocked artefact.
Every blocked package is quarantined with the full analysis report, flagged code snippets, and a chain of custody log — ready for your SOC or compliance audit.
Regulated industries that mandate full air-gap still need software. CloudGate is designed from the ground up for one-way transfer — packages are inspected on the internet-facing side, then passed through the diode as verified, signed artefacts. Nothing unscrutinised crosses the boundary.
CloudGate handles the full breadth of artefacts that enter a modern software engineering environment — including the ones that traditional registries ignore entirely.
Proxies and scans PyPI, npm, RubyGems, Maven, Cargo, and Go modules. Eliminates upstream rate limits. AI scans postinstall scripts, setup.py, and package.json hooks for malicious behaviour.
Full OCI-compatible registry that proxies Docker Hub, GHCR, Quay and any other OCI source. CVE scanning on every layer. No more Docker Hub pull limits grinding your CI. Images cached indefinitely with policy-based retention.
Operating system ISOs, firmware updates, and binary distributions are hash-verified against canonical upstream sources. AI scans embedded scripts and installation routines. Full chain of custody for every binary that enters your environment.
Terraform and OpenTofu modules proxied through an internal registry. Modules are inspected for data source exfiltration, external provider calls, and policy violations before being made available to your platform engineers.
Shell scripts, PowerShell, Python files, and CI pipeline definitions are scanned for malicious patterns before being admitted to your internal repositories. Especially critical for onboarding third-party automation.
Beyond inspection, CloudGate provides centralised PKI bootstrapping, IPAM, and authenticated registries for your entire infrastructure. One place to manage what runs in your environment — with full OIDC integration.
CloudGate is purpose-built to integrate with Cloudyard. When deployed alongside the Cloudyard platform, CloudGate automatically becomes the package source for all Coder workspaces, Kubernetes clusters, and CI pipelines. Data scientists get pip freedom — every package they need, already inspected and available from the internal mirror. No tickets. No internet egress from workspaces. Full compliance.
The CloudGate proxy and basic scanning is open source. Subscribe for the AI behavioural engine, compliance reporting, air-gap transfer tooling and SLA support.
CloudGate is in private development. Register your interest and be first to know when early access opens — particularly if you operate air-gapped or regulated infrastructure.