Enterprise-Grade Security, Built Into the Core
Protect your codebase from artifact poisoning with infrastructure-first security.
Why CI Security Matters
CI pipelines are often an overlooked threat – and your cache is a critical entry point.
Modern build pipelines involve many contributors and moving parts. As your team evolves, it's essential to lock down access and prevent vulnerabilities like cache poisoning or unauthorized reuse of build data.
- Build artifacts can be compromised and deployed – if left unprotected
- Revoked access must take effect immediately
- Self-hosted caching can't guarantee artifact integrity. Without strict branch isolation, access control, and rebuild policies, poisoned artifacts can silently reach production. For teams in highly regulated industries where undetected modifications are unacceptable, the risk is too high.
Rolling Your Own Cache Fails in Regulated Sectors
Unmanaged caching may be convenient now—but it’s a liability down the road.
If you operate in a regulated sector—finance, healthcare, government, defense, aerospace, or pharmaceuticals—self-hosting your remote cache may expose you to serious risks like cache poisoning.
These community-built cache solutions all too often miss essential safeguards—no integrity validation, no fine-grained access controls, and no real-time token revocation:
- nx-remotecache-azure
- turborepo-remote-cache
- nx-cache-server
- turborepo-remote-cache-cloudflare
- and others like them
Our official Nx self-hosted plugin adds enhanced security but follows a similar architecture to the packages above. It is unable to make guarantees about how cache artifacts are secured or accessed and cannot meet the security demands of regulated industries.
Failing to secure your cache can lead to steep breach fines, SLA breaches, damaged reputation, and costly audit delays.
- SOC 2: Self-hosted caches lack independent audits, continuous monitoring, and incident response documentation required for SOC 2 compliance.
- HIPAA: No administrative, physical, or technical safeguards to meet HIPAA mandates for protecting ePHI.
- ISO 27001: Cannot prove a certified ISMS, risk-management processes, or internal/external audit cycles.
- FedRAMP: Not authorized for federal use; missing mandatory controls for data classification, monitoring, and secure U.S. hosting.
- PCI-DSS: No encryption, segmentation, or logging controls to safeguard cardholder data.
Cache Poisoning Protection, By Design
Protect your main branch – and your customers – from compromised builds.
Most teams lock down code merges, but leave their cache wide open. With other tools, attackers can overwrite artifacts on the main branch without secrets, without cache access, and without leaving a trace.
In other systems, cache poisoning can silently alter frontend forms, backend APIs, or database access — and go undetected. With Nx Cloud, only trusted builds produce trusted artifacts.
Nx Cloud makes this kind of attack categorically impossible by implementing:
- Writes only from trusted CI – By default, the cache artifacts are reused within each pull request. Only artifacts from verified CI pipelines can enter the shared cache used by everyone. PR environments can’t poison main.
- Artifact traceability – Artifacts are tied to the identity and permissions of the user or process that created them.
- Automatic invalidation – Revoke a token and every artifact it produced becomes unusable.
Personal Access: Control Access in Real Time
Provision, audit, and revoke with confidence.
Easily manage developer access to your Nx Cloud workspace — no waiting, no lingering access for former teammates or contractors.
Nx Cloud ensures:
- Access is tied to individual user authentication
- Access is tied to your identity provider — when SSO or GitHub access is revoked, cache access is too.
- Token revocation cuts off access in real time, and invalidates any artifacts they produced.
CI Access: Token Rotation & Revocation
Secure today, safer tomorrow: automatic token rotation.
Compromised token? Those artifacts won’t touch production. All artifacts created with a revoked token are automatically invalidated — so leaked credentials can’t poison your builds.
Nx Cloud allows you to:
- Rotate tokens as needed
- Minimize long-term exposure with read-write token rotations
Built for the Enterprise, Trusted by Leading Teams
Thousands of developers rely on Nx Cloud to move fast — and stay secure.
“Nx is the tool that helps gain speed and trust on the overall system and empowers engineers and product builders to ship faster → to go to market faster.”
