StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Secure Workflow
    • Secure Repo
    • Policy-based PRs
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
  • Guides
    • How to enable network and runtime monitoring (Harden-Runner) for runners
    • How to restrict network connections to explicitly allowed endpoints
    • How do I authenticate with the StepSecurity app
    • How should I improve the security of third-party actions in my organization
    • How should I reduce the number of Harden-Runner anomalous endpoint alerts
    • How can developers see and fix StepSecurity findings without security’s help?
Powered by GitBook
On this page
  • Dashboard Overview
  • How It Works
  • Key Features & Benefits
  • Creating a New Artifact

Was this helpful?

Export as PDF

Artifact Monitor

PreviousPolicy EvaluationsNextActions Secret

Last updated 17 days ago

Was this helpful?

This feature is currently available for early access

Available for Enterprise Tier only

StepSecurity Artifact Monitor is a zero-friction solution for continuously monitoring your software artifacts. It detects unauthorized releases in real time and ensures every version originates from your official CI/CD pipelines.

Dashboard Overview

Top-Level Metrics

  • Total Artifacts: Displays the number of artifacts currently being monitored.

  • Non-Compliant: Shows how many artifacts have at least one version not published through an authorized CI/CD pipeline.

  • Compliant: Shows how many artifacts are fully compliant, with all versions verified as originating from trusted pipelines.

Artifact List Breakdown

The Artifact Monitor dashboard displays each monitored artifact as a row with the following details:

  • Artifact Name: A clickable label (e.g., @harden-runner-canary/basic-npm-package) that links to the artifact’s detailed compliance view.

  • CI/CD Workflow File: Indicates the CI configuration file (e.g., publish.yml) associated with the release.

  • Artifact Type: Currently supported types include npm packages, with support for additional registries coming soon.

  • Last Published: Timestamp showing when the most recent version was released.

  • Last Monitored: Indicates when Artifact Monitor last scanned the artifact for compliance.

  • Compliance Summary:

    • A visual ring chart shows how many versions are compliant (green) versus non-compliant (red).

    • The center number represents the total number of published versions detected.

    • If an artifact has one or more non-compliant versions, a warning icon appears next to its name

Detailed View (View Details)

Clicking View details opens a compliance log for all versions of the selected artifact. The version table includes:

  • Version: The version string of the artifact.

  • Release Date: Timestamp of when the version was published.

  • Confidence Level: Risk score based on provenance data and detection algorithms.

  • Compliance: Status based on whether the release matched an approved CI/CD pipeline.

  • Logs: Direct link to CI logs or workflow runs.

How It Works

  • Real-Time Tracking: Instantly detects new software versions as soon as they are published to your artifact registry.

  • CI/CD Verification: Traces each release back to an authorized CI/CD pipeline.

    • Authorized: Releases published via an approved CI/CD workflow are marked as safe.

    • Unauthorized: If no valid CI/CD job is found, the system sends an alert to your security team.

  • Immediate Alerts: Notifications are sent instantly, enabling your security team to respond before a potential attack spreads.

Key Features & Benefits

  • Continuous Monitoring: Constantly watches artifact registries like npm, with support for ECR, DockerHub, and more coming soon.

  • Automated CI/CD Verification: Ensures every artifact version is tied to a trusted release process.

  • Instant Security Alerts: Detects unauthorized or rogue releases in real time—critical for preventing supply chain attacks.

  • Zero False Positives: Leverages provenance data when available and uses proprietary detection technology when it’s not.

  • No Developer Overhead: Integrates with existing pipelines out of the box. No code changes or developer involvement required.

Creating a New Artifact

Step 1: Navigate to "Artifact Monitor" on your dashboard

Step 2: Click "Add Artifact"

Step 3: Fill in the details of the Artifact:

  • The Artifact name

  • Specify the Artifact type

  • Specify the path to your GitHub Actions workflow file that handles artifact publishing

Step 4: Click "Add Artifact"

  • Artifact Monitor will begin scanning the artifact, detecting its published versions and checking each one for a valid CI/CD provenance.


StepSecurity's Artifact Monitor
Adding a new Artifact
Adding a new Artifact
Artifact Monitor Dashboard
Artifact Monitor Dashboard showing details of an Artifact
StepSecurity's Artifact Monitor