Artifact Integrity
The Artifact Integrity policy ensures that container images in your registries were built by your organization's CI/CD pipeline, and not pushed from an unknown or unauthorized source, such as a developer's local machine or a malicious actor.
The main goals are:
Verifying artifact origin prevents the risk of running images that might be tampered with or injected with malicious code.
Providing assurance that all deployed artifacts are traceable to your build process.
Currently OX Security supports artifact integrity in GitLab and GitHub pipelines.
Verifying artifact integrity in container images contains the following steps:
Run a security scan
Prerequisites
Use the following environment variables in your pipeline:
For GitLab:
CI_PROJECT_ID,CI_JOB_IDFor GitHub:
GITHUB_REPOSITORY,GITHUB_RUN_ID
Updating your CI/CD pipelines with labels
When building the image, you need to include specific metadata labels in the image. Then, during the security scan, OX Security analyzes image labels and corresponding pipeline logs to ensure the integrity and trustworthiness of the image, as follows:
If OX finds a match in the build logs, the image is marked as verified.
If no match is found, the image is flagged as unverified, and you are advised to review it.
The labels are added to the docker build command during the Docker build process. The label keys are the same for all CI/CD systems, but the values differ depending on the platform.
security.ox.image.ci.repo.id
${GITHUB_REPOSITORY}
${CI_PROJECT_ID}
security.ox.image.ci.job.id
${GITHUB_RUN_ID}
${CI_JOB_ID}
security.ox.image.ci.source
github
gitlab
Important: Do not use
docker build --push. Use separatedocker buildanddocker pushcommands. This ensures the image hash is visible and can be verified during artifact integrity checks.
Docker build command example:
docker build -t $YOUR_IMAGE_NAME \
--label "security.ox.image.ci.repo.id=..." \
--label "security.ox.image.ci.job.id=..." \
--label "security.ox.image.ci.source=..."
docker push $YOUR_IMAGE_NAME
Before the scan
Before running a scan on the container image to which you have added the metadata labels, you need to enable the policy that verifies the image.
In addition, you can exclude images from scan by name or registry name.
To enable the Artifact Integrity policy:
In the OX Security platform, go to Policies > Artifact Integrity.
Enable Registry artifact not from CI/CD.
To reduce load during the scan, exclude trusted images, as follows: in the Trusted registries and images box, add trusted images/registries names.
To save your policy definitions, select SAVE AS or SAVE.
Analyzing the container image scan results
After running a security scan, you can view the artifact integrity status and plan your further actions.
To view the artifact integrity status:
In the Artifact BOM page, select the image you have scanned and check the artifact integrity status in the image overview.
The following integrity statuses are available:
Integrity verified
Integrity verification failed
Review the relevant pipeline and ensure the correct labels were added during build.
Make sure the Docker build and push commands are not combined into one (
docker build --push) as it hides the image hash.If the labels and commands are correct, then maybe the image came from an unknown source. In that case you must rebuild the image.
N/A
Review the image and make sure the labels were added correctly.
When artifact integrity is not verified, a new security issue is added in the Issues page.
The following issue types can be added by OX Security:
Image was not correlated with any known artifact from the build system
The artifact did not pass the artifact integrity check.
Image is not from a known repository
The image contains all required labels, but cannot be matched to any known repository. This issue can be resolved by adding the missing repository in the corresponding connector.
Image previously had labels but now does not
The image currently lacks the required labels, while previous versions of this image had the correct labels.
Last updated