About linked artifacts

The linked artifacts page helps you audit and prioritize your organization's builds on GitHub, regardless of where the artifacts are stored.

Neste artigo

The linked artifacts page provides a unified view of software artifacts that your organization builds with GitHub Actions, such as container images, packages, or builds of your production code.

The page shows you how an artifact was built, where it is stored or running, and which compliance and security metadata is associated with the artifact.

Teams in your organization can use the linked artifacts page to:

  • Prioritize alerts from GitHub Advanced Security features based on whether the detected vulnerabilities are running in production or exposed to the internet
  • Quickly connect artifacts to build details, storage locations, and owning teams
  • Meet compliance by exporting auditable proof of your artifacts' provenance and integrity

Which artifacts appear on the linked artifacts page?

The linked artifacts page is unique to each organization. It contains metadata for artifacts that have been built with GitHub Actions in your organization's repositories. It does not display artifacts your organization consumes from elsewhere, such as open source dependencies.

Artifact records are uploaded by your organization using either a public API or an integration with an external registry. The linked artifacts page does not store the artifact files themselves. It just provides an authoritative source for the metadata associated with each artifact.

Because an artifact does not need to be stored on GitHub to appear in the linked artifacts page, you can use the linked artifacts page alongside your preferred package registry, such as JFrog Artifactory or GitHub Packages.

Which metadata is included?

The linked artifacts page combines data from two different types of record: storage records and deployment records. These records are uploaded using different API endpoints or integrations.

Storage records

Storage records include the repository containing the artifact's source code, the registry where the artifact is stored, and any attestations proving the artifact's integrity and provenance. You can use this data to quickly find an artifact's owning team and build details.

Screenshot of an artifact page. Highlighted fields: storage registry, artifact repository, source repository.

For more information about attestations and SLSA levels, see Atestados de artefatos.

Deployment records

Deployment records include the environment where the artifact is deployed and any runtime risks (such as "sensitive data" or "internet exposed") associated with the artifact. You can use this data to filter security alerts based on the level of threat posed to your organization and consumers.

Screenshot of an artifact page. Highlighted fields: the "Deployments" list, including tags for "Prod", "sensitive data", and "pacific-east".

Observação

Deployment records do not include deployment activity from a repository's deployments dashboard, which comes from a different source. See Exibir atividade de implantação no repositório.

How does the linked artifacts page fit into my processes?

This example workflow shows how the linked artifacts page integrates with other GitHub features and external systems.

  1. A developer commits code to a GitHub repository where the code for a software package is defined.

  2. A GitHub Actions workflow in the repository automatically:

    1. Builds the package.
    2. Pushes the package to your chosen registry, such as GitHub Packages or JFrog Artifactory.
    3. Creates a cryptographically signed provenance attestation, linking the package to the repository, commit, and workflow used to build the package.
    4. Deploys the package to a staging or production environment. Your deployment system may be gated to ensure that only attested artifacts can be deployed to production, for example using the Kubernetes Admissions Controller.

  3. Metadata for the package, such as its linked repository, attestations, and deployment history, is uploaded to the linked artifacts page.

  4. Using the data from the linked artifacts page, a security lead triages code scanning and Dependabot alerts, and creates a campaign to address alerts that affect production environments or have a specific runtime risk.

  5. When an audit is required, a member of the compliance team exports SBOMs, provenance details, and deployment records for all your organization's linked artifacts from a single source.

Next steps

To add records to your organization's linked artifacts page, see Uploading storage and deployment data to the linked artifacts page.

To view the linked artifacts page for your organization, see Auditing your organization's builds on the linked artifacts page.