# Artifact Monitor {% hint style="info" %} **This feature is currently available for early access** {% endhint %} {% hint style="warning" %} Available for **Enterprise** Tier only {% endhint %} StepSecurity Artifact Monitor is a zero-friction solution for continuously monitoring your software artifacts. It detects unauthorized releases in real time and ensures every version originates from your official CI/CD pipelines. ### Dashboard Overview

Artifact Monitor Dashboard

#### **Top-Level Metrics** * Total Artifacts: Displays the number of artifacts currently being monitored. * Non-Compliant: Shows how many artifacts have at least one version not published through an authorized CI/CD pipeline. * Compliant: Shows how many artifacts are fully compliant, with all versions verified as originating from trusted pipelines. #### Artifact List Breakdown The Artifact Monitor dashboard displays each monitored artifact as a row with the following details: * Artifact Name: A clickable label (e.g., @harden-runner-canary/basic-npm-package) that links to the artifact’s detailed compliance view. * CI/CD Workflow File: Indicates the CI configuration file (e.g., publish.yml) associated with the release. * Artifact Type: Currently supported types include npm packages, with support for additional registries coming soon. * Last Published: Timestamp showing when the most recent version was released. * Last Monitored: Indicates when Artifact Monitor last scanned the artifact for compliance. * Compliance Summary: * A visual ring chart shows how many versions are compliant (green) versus non-compliant (red). * The center number represents the total number of published versions detected. * If an artifact has one or more non-compliant versions, a warning icon appears next to its name #### **Detailed View (View Details)**

Artifact Monitor Dashboard showing details of an Artifact

Clicking View details opens a compliance log for all versions of the selected artifact. The version table includes: * Version: The version string of the artifact. * Release Date: Timestamp of when the version was published. * Confidence Level: Risk score based on provenance data and detection algorithms. * Compliance: Status based on whether the release matched an approved CI/CD pipeline. * Logs: Direct link to CI logs or workflow runs. ### How It Works * **Real-Time Tracking:** Instantly detects new software versions as soon as they are published to your artifact registry. * **CI/CD Verification:** Traces each release back to an authorized CI/CD pipeline. * Authorized: Releases published via an approved CI/CD workflow are marked as safe. * Unauthorized: If no valid CI/CD job is found, the system sends an alert to your security team. * **Immediate Alerts:** Notifications are sent instantly, enabling your security team to respond before a potential attack spreads. ### Key Features & Benefits * **Continuous Monitoring:** Constantly watches artifact registries like npm, with support for ECR, DockerHub, and more coming soon. * **Automated CI/CD Verification:** Ensures every artifact version is tied to a trusted release process. * **Instant Security Alerts:** Detects unauthorized or rogue releases in real time—critical for preventing supply chain attacks. * **Zero False Positives:** Leverages provenance data when available and uses proprietary detection technology when it’s not. * **No Developer Overhead:** Integrates with existing pipelines out of the box. No code changes or developer involvement required. ### Creating a New Artifact #### **Step 1:** Navigate to "Artifact Monitor" on your dashboard
#### **Step 2:** Click "Add Artifact" ![StepSecurity's Artifact Monitor](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-05-02/41376e4e-d17a-48ce-8f41-b4238f34cfd5/ascreenshot.jpeg?tl_px=1495,0\&br_px=3024,854\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=931,106) #### **Step 3:** Fill in the details of the Artifact: * The Artifact name * Specify the Artifact type * Specify the path to your GitHub Actions workflow file that handles artifact publishing ![Adding a new Artifact](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-05-02/255b1890-76b3-4f6f-af9f-cee3c0398e58/ascreenshot.jpeg?tl_px=272,0\&br_px=3024,1538\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=615,238) #### **Step 4:** Click "Add Artifact" * Artifact Monitor will begin scanning the artifact, detecting its published versions and checking each one for a valid CI/CD provenance. ![Adding a new Artifact](https://ajeuwbhvhr.cloudimg.io/colony-recorder.s3.amazonaws.com/files/2025-05-02/4d48456c-0028-4aa1-9eb2-dfc86b6d08c0/ascreenshot.jpeg?tl_px=272,175\&br_px=3024,1714\&force_format=jpeg\&q=100\&width=1120.0\&wat=1\&wat_opacity=1\&wat_gravity=northwest\&wat_url=https://colony-recorder.s3.amazonaws.com/images/watermarks/8B5CF6_standard.png\&wat_pad=677,355) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.stepsecurity.io/oss-package-security/artifact-monitor.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.