Artifact BOM
The Artifact Bill of Materials (BOM) is a comprehensive capability designed to give organizations visibility into all software artifacts used across cloud and Kubernetes environments.
Artifact BOM supports integration with cloud-native platforms such as Kubernetes and container registries.
By continuously monitoring deployed workloads and associated artifacts, Artifact BOM enables organizations to understand how artifacts are used in production environments, evaluate their security, and enforce governance policies.
Key capabilities include:
Artifact Discovery: Artifact BOM automatically detects and inventories deployed artifacts, including container images, Kubernetes Deployments, DaemonSets, Services, and more.
Security Monitoring: Surfaces vulnerabilities, misconfigurations, and exposure details for each artifact, enabling teams to assess and prioritize risk.
Issue Investigation and Insights: The platform highlights all issues associated with each artifact and links them to affected assets, streamlining triage and resolution.
Kubernetes-Native Support: Deep integration with Kubernetes ensures complete visibility into the containerized software supply chain, from build to runtime.
Unscanned images
OX Security also surfaces images that were not scanned, along with the reasons why. This helps teams understand potential visibility gaps and take corrective actions.
Unscanned images appear in the Artifact BOM list if:
Policy exclusions apply: For example, if a policy is configured to skip images older than 8 months, those images will appear as unscanned.
The image was not selected in the connector configuration: If a specific repository was connected, but certain images were excluded during setup, they will appear as unscanned.
There were scan errors: If scanning failed due to technical issues or access problems, the image will be listed with an error indicator.
Inventorying deployed artifacts
Each row in the Artifact BOM table represents a distinct artifact detected by OX Security. You can filter and sort the data using various categories on the left panel.
Issues
The number of issues detected in the artifact, typically categorized by severity (e.g., Critical, High).
Artifact
The name of the container image detected by OX.
Version/Tag
The specific version or tag associated with the artifact (e.g., v1.19.0).
Application
The application name within OX platform associated with the artifact. Often includes registry origin, for example *Public Amazon ECR.
Business Priority
A numerical score reflecting the business impact or criticality of the application the artifact is associated with.
Code
Indicates whether the artifact is linked to a code repository.
CI/CD
Indicates whether the artifact has been traced to a CI/CD pipeline.
Registry
Indicates whether the artifact has been found in a connected container registry.
Cloud
Indicates whether the artifact was detected running in a cloud environment, for example, AWS, GCP.
PBOM
A visual indicator showing traceability across the software supply chain, from source code to runtime deployment.
Created
The relative timestamp showing when the artifact was first detected by the platform.
Use the left-side panel to narrow down artifacts by various properties.
Application
Select one or more applications to view related artifacts.
Account
Filter by cloud account ID to focus on specific environments.
Asset Name
Enter a specific asset name to find exact matches.
Type
Filter by resource types such as Deployment, DaemonSet, Service, or Image.
Cloud Provider
Narrow results by provider (e.g., AWS, Azure, GCP).
Region
Focus on artifacts from specific cloud regions.
Service Category
Choose a category like Kubernetes.
Kubernetes Cluster
Filter by cluster to investigate issues per environment.
Vulnerability Severity
Show only artifacts with vulnerabilities of selected severities.
Is Internet Exposed
View only externally exposed or internal artifacts.
Image Source
Filter by source of the image, such as CI/CD pipeline, registry.
Registry Name
Focus on images from specific registries.
Registry Type
Filter by type, such as public or private.
Image Scan Status
Show only scanned, unscanned, or failed scan images.
In addition you can rearrange the Artifact BOM table according to:
Cloud deployed artifacts
Artifacts with high severity issues
Understanding Artifact BOM details
When selecting an artifact, a panel with detailed information appears, including:
Overview
Artifact Type
Indicates the type of artifact (e.g., Container).
Name
The artifact’s name as detected in your environment.
Application
The logical application associated with the artifact.
Version/Tag
The specific tag or version of the artifact.
Business Priority
A calculated score that reflects the artifact’s importance to the business.
Created
How long ago the artifact was first detected.
Severities
Number and severity of issues found in the artifact (e.g., 1 Critical).
Artifact Integrity
Indicates whether integrity data is available. If N/A, verification is not provided.
Hash
The unique SHA256 hash used to identify the artifact version.
Registry
The Registry tab provides details about the image's origin in your container registry.
Registry Type
The type of registry where the image is stored (e.g., Amazon ECR).
Registry Name
The full hostname of the registry where the image was found. When the an image is included in multiple registries, all the registry names appear here.
Repository Name
Full path of the repository including the image name.
Hash
The unique SHA256 hash of the image.
Tags
The tag(s) assigned to the image version.
Username
The user or service account that uploaded the image.
Time Upload
Timestamp of when the image was pushed to the registry.
Last Update
The most recent update detected for the image in the registry.
Build Time
The original build timestamp of the image, if available.
Cloud
The Cloud tab shows where the artifact was observed running in cloud environments. This helps you trace image usage across clusters and workloads.
Cloud Type
The cloud provider where the image was observed (e.g., AWS).
Cloud Services
The specific service running the artifact (e.g., EKS for Kubernetes).
Cluster
Name of the Kubernetes cluster where the image was deployed.
Namespace
Kubernetes namespace in which the image was running.
Zone
Cloud region or availability zone (e.g., eu-west-1).
Account
Cloud account ID where the image was detected.
Hash
The SHA256 hash identifying the deployed image.
Public Image CVEs
The Public Image CVEs tab lists known vulnerabilities found in public base images or libraries used by the artifact. It provides visibility into inherited risks even if the image wasn’t built internally.
Vulnerability ID
The CVE identifier linked to the issue, with a link to external details.
Library
The affected library and version (e.g., [email protected]).
Description
A short summary of the vulnerability’s root cause and impact.
Context
Icons representing the environment or use case where the CVE was found (e.g., build, CI/CD, cloud runtime).
Discovered
Approximate time when the vulnerability was disclosed.
CVSS
The CVSS base score and severity (Critical, High, etc.) from the NVD.
OX Severity
OX's adjusted severity score, considering context like exploitability and impact.
PBOM
The Pipeline Bill of Materials (PBOM) tab displays information about the application the artifact is associated with.
Artifact BOM use cases
Tracing issues across artifacts
By reviewing the issues linked across containers and code repositories, security teams can identify root causes and reduce noise.
For example, when the same CVE appears in both the container and its associated repository, the platform links the issues. Fixing the problem in the code eliminates it in future versions of the container.
To view the linked issues:
In filtering panel of the Active Issues page, select Actions > Linked Issues.
Visibility into cloud-running images
Even if an image comes from a public registry, Artifact BOM shows where it’s running in Kubernetes clusters and connects it to the relevant cloud account and region.
For example, if an image is not found in your connected registries but is detected running in AWS or GCP, it still appears in the Artifact BOM with full metadata, helping teams track unmanaged or shadow artifacts.
Reviewing registry upload and build details
Artifact BOM allows AppSec teams to view metadata from container registries, including when the image was uploaded, who uploaded it, and what hash it carries. This helps with auditing, identifying outdated images, and enforcing upload policies.
For example, if two identical images exist in different registries, you can use the artifact hash and upload time to validate which one is current and safe to use.
Investigating Public Image Vulnerabilities
The Public Image CVEs tab surfaces vulnerabilities inherited from base images or open-source libraries. This gives security teams insight into third-party risks, even when the application code itself does not contain vulnerabilities.
For example, vulnerabilities in Go’s stdlib package or OS-level libraries can be tracked across multiple containers using the same base image.
Last updated