Artifact Monitor

StepSecurity Artifact Monitor is a zero-friction solution for continuously monitoring your software artifacts. It detects unauthorized releases in real time and ensures every version originates from your official CI/CD pipelines.

Dashboard Overview

Top-Level Metrics

• Total Artifacts: Displays the number of artifacts currently being monitored.

• Non-Compliant: Shows how many artifacts have at least one version not published through an authorized CI/CD pipeline.

• Compliant: Shows how many artifacts are fully compliant, with all versions verified as originating from trusted pipelines.

Artifact List Breakdown

The Artifact Monitor dashboard displays each monitored artifact as a row with the following details:

• Artifact Name: A clickable label (e.g., @harden-runner-canary/basic-npm-package) that links to the artifact’s detailed compliance view.

• CI/CD Workflow File: Indicates the CI configuration file (e.g., publish.yml) associated with the release.

• Artifact Type: Currently supported types include npm packages, with support for additional registries coming soon.

• Last Published: Timestamp showing when the most recent version was released.

• Last Monitored: Indicates when Artifact Monitor last scanned the artifact for compliance.

• Compliance Summary:

  • A visual ring chart shows how many versions are compliant (green) versus non-compliant (red).

  • The center number represents the total number of published versions detected.

  • If an artifact has one or more non-compliant versions, a warning icon appears next to its name

Detailed View (View Details)

Clicking View details opens a compliance log for all versions of the selected artifact. The version table includes:

• Version: The version string of the artifact.

• Release Date: Timestamp of when the version was published.

• Confidence Level: Risk score based on provenance data and detection algorithms.

• Compliance: Status based on whether the release matched an approved CI/CD pipeline.

• Logs: Direct link to CI logs or workflow runs.

How It Works

• Real-Time Tracking: Instantly detects new software versions as soon as they are published to your artifact registry.

• CI/CD Verification: Traces each release back to an authorized CI/CD pipeline.

  • Authorized: Releases published via an approved CI/CD workflow are marked as safe.

  • Unauthorized: If no valid CI/CD job is found, the system sends an alert to your security team.

• Immediate Alerts: Notifications are sent instantly, enabling your security team to respond before a potential attack spreads.

Key Features & Benefits

• Continuous Monitoring: Constantly watches artifact registries like npm, with support for ECR, DockerHub, and more coming soon.

• Automated CI/CD Verification: Ensures every artifact version is tied to a trusted release process.

• Instant Security Alerts: Detects unauthorized or rogue releases in real time—critical for preventing supply chain attacks.

• Zero False Positives: Leverages provenance data when available and uses proprietary detection technology when it’s not.

• No Developer Overhead: Integrates with existing pipelines out of the box. No code changes or developer involvement required.

Creating a New Artifact

Step 1: Navigate to "Artifact Monitor" on your dashboard

Step 2: Click "Add Artifact"

Step 3: Fill in the details of the Artifact:

• The Artifact name

• Specify the Artifact type

• Specify the path to your GitHub Actions workflow file that handles artifact publishing

Step 4: Click "Add Artifact"

• Artifact Monitor will begin scanning the artifact, detecting its published versions and checking each one for a valid CI/CD provenance.