StepSecurity
ResourcesCompanyPricingInstall StepSecurity AppLogin
  • Introduction
  • Getting Started
    • Quickstart (Community Tier)
      • Getting Started with Secure Workflow
      • Getting Started with Secure Repo
      • Getting Started with Harden Runner
    • Quickstart (Enterprise Tier)
  • Overview
  • Harden-Runner
    • Workflow Runs
    • All Destinations
    • Detections
    • GitHub Checks
    • Suppression Rules
    • Policy Store
    • Self-Hosted Runners
    • Runbooks
      • Anomalous Outbound Network Calls
      • How to Determine Minimum Token Permissions
  • Orchestrate Security
    • Secure Workflow
    • Secure Repo
    • Policy-based PRs
    • Pull Requests
  • Run Policies
    • Policies
    • Policy Evaluations
  • Artifact Monitor
  • Actions Secret
  • Actions
    • GitHub Actions In Use
    • Reusable Workflows
    • GitHub Actions Score
    • StepSecurity Maintained Actions
  • Settings
    • Notifications
    • Self-Hosted Runners
    • API Key
    • GitHub Checks
    • Control Evaluation
  • Admin Console
    • Resources
    • S3 Integration
    • Members
    • Security & Auth
      • Setting Up Google SSO
      • Setting Up Okta SSO
      • Setting Up Microsoft Entra (Azure AD)
    • Audit Logs
  • Partnerships
    • RunsOn
  • Who's Using Harden-Runner?
  • Enterprise Readiness
Powered by GitBook
On this page
  • Dashboard Overview
  • How It Works
  • Key Features & Benefits
  • Creating a New Artifact

Was this helpful?

Export as PDF

Artifact Monitor

PreviousPolicy EvaluationsNextActions Secret

Last updated 7 days ago

Was this helpful?

This feature is currently available for early access

Available for Enterprise Tier only

StepSecurity Artifact Monitor is a zero-friction solution for continuously monitoring your software artifacts. It detects unauthorized releases in real time and ensures every version originates from your official CI/CD pipelines.

Dashboard Overview

Top-Level Metrics

  • Total Artifacts: Displays the number of artifacts currently being monitored.

  • Non-Compliant: Shows how many artifacts have at least one version not published through an authorized CI/CD pipeline.

  • Compliant: Shows how many artifacts are fully compliant, with all versions verified as originating from trusted pipelines.

Artifact List Breakdown

The Artifact Monitor dashboard displays each monitored artifact as a row with the following details:

  • Artifact Name: A clickable label (e.g., @harden-runner-canary/basic-npm-package) that links to the artifact’s detailed compliance view.

  • CI/CD Workflow File: Indicates the CI configuration file (e.g., publish.yml) associated with the release.

  • Artifact Type: Currently supported types include npm packages, with support for additional registries coming soon.

  • Last Published: Timestamp showing when the most recent version was released.

  • Last Monitored: Indicates when Artifact Monitor last scanned the artifact for compliance.

  • Compliance Summary:

    • A visual ring chart shows how many versions are compliant (green) versus non-compliant (red).

    • The center number represents the total number of published versions detected.

    • If an artifact has one or more non-compliant versions, a warning icon appears next to its name

Detailed View (View Details)

Clicking View details opens a compliance log for all versions of the selected artifact. The version table includes:

  • Version: The version string of the artifact.

  • Release Date: Timestamp of when the version was published.

  • Confidence Level: Risk score based on provenance data and detection algorithms.

  • Compliance: Status based on whether the release matched an approved CI/CD pipeline.

  • Logs: Direct link to CI logs or workflow runs.

How It Works

  • Real-Time Tracking: Instantly detects new software versions as soon as they are published to your artifact registry.

  • CI/CD Verification: Traces each release back to an authorized CI/CD pipeline.

    • Authorized: Releases published via an approved CI/CD workflow are marked as safe.

    • Unauthorized: If no valid CI/CD job is found, the system sends an alert to your security team.

  • Immediate Alerts: Notifications are sent instantly, enabling your security team to respond before a potential attack spreads.

Key Features & Benefits

  • Continuous Monitoring: Constantly watches artifact registries like npm, with support for ECR, DockerHub, and more coming soon.

  • Automated CI/CD Verification: Ensures every artifact version is tied to a trusted release process.

  • Instant Security Alerts: Detects unauthorized or rogue releases in real time—critical for preventing supply chain attacks.

  • Zero False Positives: Leverages provenance data when available and uses proprietary detection technology when it’s not.

  • No Developer Overhead: Integrates with existing pipelines out of the box. No code changes or developer involvement required.

Creating a New Artifact

Step 1: Navigate to "Artifact Monitor" on your dashboard

Step 2: Click "Add Artifact"

Step 3: Fill in the details of the Artifact:

  • The Artifact name

  • Specify the Artifact type

  • Specify the path to your GitHub Actions workflow file that handles artifact publishing

Step 4: Click "Add Artifact"

  • Artifact Monitor will begin scanning the artifact, detecting its published versions and checking each one for a valid CI/CD provenance.


StepSecurity's Artifact Monitor
Adding a new Artifact
Adding a new Artifact
Artifact Monitor Dashboard
Artifact Monitor Dashboard showing details of an Artifact
StepSecurity's Artifact Monitor