Artifact guard overview

Security Command Center's artifact guard adds a layer of security to your application development process by helping you to identify vulnerabilities throughout the development lifecycle.

Artifact guard offers the following features and benefits:

  • Granular policy controls: Define precise rules based on vulnerability types, with flexible exception options.
  • Build-time policy enforcement: Integrate security checks directly into Artifact Registry and Continuous Integration/Continuous Delivery (CI/CD) pipelines to stop insecure images before deployment.
  • Advanced runtime enforcement: Benefit from real-time scanning and a complete overview of your security posture.
  • Unified "code to cloud" security graph: Gain a holistic view of security findings by correlating data from build time, artifact analysis, and runtime scans.

Overview

CI/CD pipelines and deployment environments often lack automated enforcement to block or audit non-compliant images. To help secure applications, policies must be applied consistently at both the build and the deployment stages.

A strong policy framework can help with the following:

  • Supply chain attacks: Proactive policies help mitigate threats early, preventing compromised images from affecting your applications.
  • Compliance and governance: Meet regulatory demands by enforcing best practices such as preventing credential leaks, blocking vulnerable libraries, and maintaining secure container configurations.
  • Reduce developer friction: Integrate security seamlessly into your development lifecycle, enhancing protection without hindering innovation.
  • Runtime risks: Continuous runtime scanning catches new vulnerabilities even after deployment, providing ongoing protection.

Artifact guard provides a unified security framework to manage an artifact's vulnerabilities and other findings throughout its lifecycle. This framework allows for granular admission control at various stages, ensuring only verified artifacts are promoted.

Artifact guard has built-in integration with key services like Artifact Registry and Google Kubernetes Engine (GKE). Policies can also be included in the Google Security Baseline Policy and integrated with App Hub, enabling teams to enforce security standards directly from the application design center. This capability allows artifact guard to function as a powerful constraint within the Google Cloud Organization Policy Service framework, ensuring consistent security governance at scale.

Audience

Artifact guard can help with the following stakeholder tasks:

  • Security Administrators: Define and enforce security policies.
  • DevOps or Platform Engineering teams: Integrate artifact guard into existing build and deployment pipelines.
  • Application Developers: Use the insights from artifact guard to remediate security vulnerabilities within code.

Key terms and concepts

  • Common Vulnerabilities and Exposures (CVE): A publicly disclosed computer security vulnerability that is assigned a unique identifier. These identifiers help track vulnerabilities for remediation.
  • Software Bill of Materials (SBOM): A machine-readable inventory of software components and dependencies. An SBOM includes information about each component's version, origin, and other relevant details. SBOMs can be used to identify CVEs and other security risks.
  • Artifact: A versioned and validated output of software development, such as data or an item created during the build process.

High-level workflow

  1. Artifact guard supports three types of policy scopes:

    • CI/CD platform: Cloud Build, GitHub Actions, or Jenkins pipelines
    • Registry: GKE clusters
    • Runtime: GKE clusters

    If you're planning to use the CI/CD platform scope, you can create connectors to your CI/CD environments using the CI/CD integration.

  2. Configure artifact guard policies. Your policies can include any of the supported scopes.

  3. Evaluations are run against your policies. During an evaluation, an image is built and evaluated against your policy. If your policy fails, the build fails. DevOps or application engineers can then examine the failure details and deploy necessary fixes.

What's next