Artifact Integrity Policies

Artifact Integrity policies validate the source and integrity of artifacts running in cloud environments.

These policies ensure that artifacts originate from approved build pipelines and trusted registries, helping confirm that deployed software has not been altered or introduced outside authorized processes. Enforcing artifact integrity reduces supply chain risk and helps maintain trust in the software delivery process.

The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the Policies article and a more detailed article on the policy group Artifact Integrity.

View and manage Artifact Integriy policies

Open each policy to view the business impact and optional settings.

Cloud artifact is not from a trusted registry

Purpose: Detect running artifacts that originate from registries not associated with an approved CI/CD process.

Business impact: Artifacts from untrusted registries increase the risk of deploying tampered or malicious images. This can lead to security breaches, data exposure, or compromised runtime environments.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

OFF

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Trusted registry and images

Click to add

Current setting

Registry artifact is not from CI/CD

Purpose: Validates that artifacts running in the cloud have a corresponding build record in the CI/CD pipeline to confirm they were produced through an approved build process. Enforcing CI/CD provenance helps ensure artifact integrity and reduces the risk of supply-chain compromise.

Business impact: Running artifacts that cannot be traced back to a CI/CD pipeline may have been introduced outside approved workflows. This increases the risk of deploying tampered or malicious artifacts.

Setting

Description

Default

ON/OFF (toggle)

Enable/disable the policy.

OFF

Ignore Application Business Priority for severity calculation (checkbox)

When enabled, severity is not adjusted based on application priority.

OFF

Trusted registry and images

Click to add

Current setting

View policy issues

1. Open the Active Issues page.

2. Use the Category filter and select the policy category to view related active issues.

3. Use the Policy filter to narrow the list to a specific policy.

4. Apply the Category and Policy filters separately or together, depending on how specific you want the results to be.

5. Use the search box to refine results, such as filtering by file name, keyword, or rule identifier.

Create or save policy profiles

When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one.

• To save the current profile, click SAVE in the page header.

• To create a new profile, click SAVE AS in the page header. For instructions, see the section Create or edit policy profiles in the Policies article.