Artifact Monitor
Available for Enterprise Tier only
StepSecurity Artifact Monitor is a zero-friction solution for continuously monitoring your software artifacts. It detects unauthorized releases in real time and ensures every version originates from your official CI/CD pipelines.
Dashboard Overview
Top-Level Metrics
Total Artifacts: Displays the number of artifacts currently being monitored.
Non-Compliant: Shows how many artifacts have at least one version not published through an authorized CI/CD pipeline.
Compliant: Shows how many artifacts are fully compliant, with all versions verified as originating from trusted pipelines.
Artifact List Breakdown
The Artifact Monitor dashboard displays each monitored artifact as a row with the following details:
Artifact Name: A clickable label (e.g., @harden-runner-canary/basic-npm-package) that links to the artifact’s detailed compliance view.
CI/CD Workflow File: Indicates the CI configuration file (e.g., publish.yml) associated with the release.
Artifact Type: Currently supported types include npm packages, with support for additional registries coming soon.
Last Published: Timestamp showing when the most recent version was released.
Last Monitored: Indicates when Artifact Monitor last scanned the artifact for compliance.
Compliance Summary:
A visual ring chart shows how many versions are compliant (green) versus non-compliant (red).
The center number represents the total number of published versions detected.
If an artifact has one or more non-compliant versions, a warning icon appears next to its name
Detailed View (View Details)
Clicking View details opens a compliance log for all versions of the selected artifact. The version table includes:
Version: The version string of the artifact.
Release Date: Timestamp of when the version was published.
Confidence Level: Risk score based on provenance data and detection algorithms.
Compliance: Status based on whether the release matched an approved CI/CD pipeline.
Logs: Direct link to CI logs or workflow runs.
How It Works
Real-Time Tracking: Instantly detects new software versions as soon as they are published to your artifact registry.
CI/CD Verification: Traces each release back to an authorized CI/CD pipeline.
Authorized: Releases published via an approved CI/CD workflow are marked as safe.
Unauthorized: If no valid CI/CD job is found, the system sends an alert to your security team.
Immediate Alerts: Notifications are sent instantly, enabling your security team to respond before a potential attack spreads.
Key Features & Benefits
Continuous Monitoring: Constantly watches artifact registries like npm, with support for ECR, DockerHub, and more coming soon.
Automated CI/CD Verification: Ensures every artifact version is tied to a trusted release process.
Instant Security Alerts: Detects unauthorized or rogue releases in real time—critical for preventing supply chain attacks.
Zero False Positives: Leverages provenance data when available and uses proprietary detection technology when it’s not.
No Developer Overhead: Integrates with existing pipelines out of the box. No code changes or developer involvement required.
Creating a New Artifact
Step 1: Navigate to "Artifact Monitor" on your dashboard
Step 2: Click "Add Artifact"
Step 3: Fill in the details of the Artifact:
The Artifact name
Specify the Artifact type
Specify the path to your GitHub Actions workflow file that handles artifact publishing
Step 4: Click "Add Artifact"
Artifact Monitor will begin scanning the artifact, detecting its published versions and checking each one for a valid CI/CD provenance.
Last updated
Was this helpful?