> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/container-and-artifact-security/artifact-scanning.md). # Artifact Scanning ## Artifact Scanning Artifact Scanning extends security validation beyond container images to all other components in the software supply chain — **binaries, packages, libraries, build outputs, and third-party dependencies** — ensuring the entire delivery chain is trusted, not just the final image. Modern applications depend heavily on open-source and third-party components. Any one of these can introduce known CVEs, license violations, tampered artifacts, or hidden malicious code — risks that container image scanning alone does not fully cover. ## **Why Artifact Scanning Is Used in OpsMx** OpsMx uses Artifact Scanning in Delivery Shield to: * **Validate all build outputs and dependencies** before they are consumed or promoted to the next pipeline stage * **Maintain a trusted artifact repository** — enforcing strict controls on which artifacts are allowed into the build and deployment process * **Detect tampered or untrusted artifacts** — verifying artifact integrity against expected checksums and signatures * **Provide end-to-end supply chain visibility** — every component from code to packaged artifact is accounted for and assessed ## **Key Capabilities** | Capability | Description | | ------------------------------------- | ------------------------------------------------------------------------------- | | **Dependency Vulnerability Scanning** | CVE detection across all third-party libraries and packages | | **License Compliance** | Flags license types that violate organizational policy (GPL, AGPL, etc.) | | **Artifact Integrity Verification** | Validates artifact checksums and code signing against approved baselines | | **SBOM Generation** | Full SBOM per artifact in CycloneDX or SPDX format | | **JFrog Xray Integration** | Deep recursive scanning of artifacts in JFrog Artifactory repositories | | **Hidden Malicious Code Detection** | Identifies supply chain attacks where legitimate packages have been compromised | ## **Results in Delivery Shield** * **Artifact section of the DBOM page** — artifact findings tied to each deployment record * **Vulnerability Management page** — consolidated findings across all artifact types * **View Open Security Issues page** — active issues prioritized by severity for immediate action --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/container-and-artifact-security/artifact-scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.