×
Apply for Jobs Apply for Jobs Post a Job Post a Job Local Jobs Home
Register Here to Apply for Jobs or Post Jobs. X
More jobs:
Data Engineer Cloud Computing Systems Engineer Data Security

Software Engineer; Provenance

Job in Barry, Vale of Glamorgan, CF62, Wales, UK
Listing for: Cloudsmith
Full Time position
Listed on 2026-05-30
Job specializations:
  • IT/Tech
    Data Engineer, Cloud Computing, Systems Engineer, Data Security
Job Description & How to Apply Below
Position: Staff Software Engineer (Provenance)

TL;

DR:
We are looking for an engineer to help build a new generation of provenance and build information into the Cloudsmith platform. If you are motivated by solving problems of performance at a massive scale and passionate about your craft, you will find an environment in which you can thrive at Cloudsmith.

The Role

A Staff Software Engineer on the Supply Chain Trust team, you will play a key role in building platform capability that gives enterprise customers complete, end-to-end traceability from source code to built artifact. Not just where an artifact came from, but how it was built, what went into it, and exactly how it was used across every pipeline and deployment downstream.

Cloudsmith already sits in the middle of how organisations store and distribute software artifacts. This role turns that position into something more powerful: a source of truth. You will build the infrastructure that captures, stores, and surfaces build provenance and pipeline usage data — so that when a customer asks which of their services consumed a given artifact, and what build produced it, the answer is in Cloudsmith, complete and trustworthy.

Our Team

We are four teams responsible for building application capabilities and the underlying platform upon which Cloudsmith is founded. We operate in a highly collaborative environment, where people with different skills come together to make things happen. We each contribute to an environment where curiosity, support, transparency, and bias for action reign. We have a modern CI/CD approach, deploying multiple times per day, and we support a global set of customers who are engineers like us.

Key Responsibilities

  • Build: Design, implement, and ship the provenance ingestion service — capable of accepting provenance and attestation payloads from CI/CD systems, public registries, signed bundles, and customer-uploaded artifacts across a wide range of formats (SLSA, in-toto, SBOM attestations, Sigstore bundles etc).

  • Store: Own the storage architecture for signed provenance metadata.

  • Validate:
    Build the validation engine that verifies cryptographic integrity and evaluates attestation data against configurable customer trust policies — SLSA level requirements, allowed builder identities, key material, and more.

  • Expose: Deliver clean, well-documented APIs that make provenance data useful to customers and to other parts of the platform — queryable, auditable, and reliable.

  • Collaborate: Work closely with product, customer success, and the wider engineering team to understand how enterprise security teams consume provenance data and translate that into features they love.

  • Quality: Prioritise correctness, security, and observability — this is critical infrastructure customers trust with their software supply chain decisions.

  • Mentor: Share your expertise across the team through code reviews, documentation, and open conversation — a rising tide lifts all boats.

Required Experience, Qualities & Skills

We realise that not everyone will have every experience and expertise in every possible thing. Still, if you have many of the following, we might be a great place to progress your career.

Domain Knowledge

  • Provenance & Attestation: You know the landscape: SLSA, in-toto, Sigstore, DSSE, and how attestations are packaged and signed. You do not need to have built signing pipelines, but you must understand their output.

  • Cryptographic Foundations: Comfortable with signing and verification: key material, ECDSA/RSA, certificate chains, OIDC-based keyless signing flows, and transparency logs.

  • SBOM Formats: Familiarity with Cyclone

    DX and SPDX, and how they are packaged as attestation artifacts.

Backend & Platform Engineering

  • Experience: 5+ years of production backend engineering, with real ownership of at least one complex service end-to-end.

  • Technical Proficiency: Strong experience with Python for building backend services and data pipelines. Familiarity with AWS services (e.g. S3, RDS/Postgres, Kinesis, ECS, Lambda) and infrastructure tooling (Terraform).

  • Data Ingestion: Experience designing pipelines that handle varied, schema-evolving, high-volume payloads reliably and at scale — including robust error…

Note that applications are not being accepted from your jurisdiction for this job currently via this jobsite. Candidate preferences are the decision of the Employer or Recruiting Agent, and are controlled by them alone.
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search:
 
 
 
Search for further Jobs Here:
(Try combinations for better Results! Or enter less keywords for broader Results)
Location
Increase/decrease your Search Radius (miles)
0
200
Filters
Education Level
Experience Level (years)
Posted in last:
Salary
Advanced Search