# Artifact Monitor
{% hint style="info" %}
**This feature is currently available for early access**
{% endhint %}
{% hint style="warning" %}
Available for **Enterprise** Tier only
{% endhint %}
StepSecurity Artifact Monitor is a zero-friction solution for continuously monitoring your software artifacts. It detects unauthorized releases in real time and ensures every version originates from your official CI/CD pipelines.
### Dashboard Overview
Artifact Monitor Dashboard
#### **Top-Level Metrics**
* Total Artifacts: Displays the number of artifacts currently being monitored.
* Non-Compliant: Shows how many artifacts have at least one version not published through an authorized CI/CD pipeline.
* Compliant: Shows how many artifacts are fully compliant, with all versions verified as originating from trusted pipelines.
#### Artifact List Breakdown
The Artifact Monitor dashboard displays each monitored artifact as a row with the following details:
* Artifact Name: A clickable label (e.g., @harden-runner-canary/basic-npm-package) that links to the artifact’s detailed compliance view.
* CI/CD Workflow File: Indicates the CI configuration file (e.g., publish.yml) associated with the release.
* Artifact Type: Currently supported types include npm packages, with support for additional registries coming soon.
* Last Published: Timestamp showing when the most recent version was released.
* Last Monitored: Indicates when Artifact Monitor last scanned the artifact for compliance.
* Compliance Summary:
* A visual ring chart shows how many versions are compliant (green) versus non-compliant (red).
* The center number represents the total number of published versions detected.
* If an artifact has one or more non-compliant versions, a warning icon appears next to its name
#### **Detailed View (View Details)**
Artifact Monitor Dashboard showing details of an Artifact
Clicking View details opens a compliance log for all versions of the selected artifact. The version table includes:
* Version: The version string of the artifact.
* Release Date: Timestamp of when the version was published.
* Confidence Level: Risk score based on provenance data and detection algorithms.
* Compliance: Status based on whether the release matched an approved CI/CD pipeline.
* Logs: Direct link to CI logs or workflow runs.
### How It Works
* **Real-Time Tracking:** Instantly detects new software versions as soon as they are published to your artifact registry.
* **CI/CD Verification:** Traces each release back to an authorized CI/CD pipeline.
* Authorized: Releases published via an approved CI/CD workflow are marked as safe.
* Unauthorized: If no valid CI/CD job is found, the system sends an alert to your security team.
* **Immediate Alerts:** Notifications are sent instantly, enabling your security team to respond before a potential attack spreads.
### Key Features & Benefits
* **Continuous Monitoring:** Constantly watches artifact registries like npm, with support for ECR, DockerHub, and more coming soon.
* **Automated CI/CD Verification:** Ensures every artifact version is tied to a trusted release process.
* **Instant Security Alerts:** Detects unauthorized or rogue releases in real time—critical for preventing supply chain attacks.
* **Zero False Positives:** Leverages provenance data when available and uses proprietary detection technology when it’s not.
* **No Developer Overhead:** Integrates with existing pipelines out of the box. No code changes or developer involvement required.
### Creating a New Artifact
#### **Step 1:** Navigate to "Artifact Monitor" on your dashboard
#### **Step 2:** Click "Add Artifact"
#### **Step 3:** Fill in the details of the Artifact:
* The Artifact name
* Specify the Artifact type
* Specify the path to your GitHub Actions workflow file that handles artifact publishing
#### **Step 4:** Click "Add Artifact"
* Artifact Monitor will begin scanning the artifact, detecting its published versions and checking each one for a valid CI/CD provenance.
