You can now link build artifacts like containers and binaries to GitHub and add storage and deployment context, even if the artifacts live outside GitHub. This helps you get code-to-cloud traceability and prioritize security work based on what’s actually running in production.

What’s new

Artifact metadata APIs

New REST API endpoints let you associate build artifacts with their storage location, track promotion through your release pipeline, and add production context like deployment data and runtime risk:

  • Storage records capture an artifact’s location in a package registry.
  • Deployment records capture where an artifact is deployed and runtime risk factors such as whether the deployed workload is exposed to the internet or processes sensitive data.

You can call these APIs from your CI/CD workflows, external CD tooling, or cloud runtime monitors. Our launch partners—Microsoft Defender for Cloud (for deployment and runtime data, in public preview) and JFrog Artifactory (for storage and promotion context)—have built native integrations you can enable without additional configuration.

Linked artifacts view

A new view in your organization’s Packages tab displays all linked artifacts with their attestations, storage locations, and deployment history. This gives you unified visibility across your software supply chain.

If you use GitHub artifact attestations, each artifact is cryptographically bound to its source repository and build workflow, helping you achieve SLSA Build Level 3 security. The artifact view surfaces all attestations created for an artifact, including build provenance, attested SBOMs, and any custom attestations that fit your software development lifecycle.

Production-context filtering for security alerts

If you add storage and deployment records, you can filter GitHub Dependabot alerts, GitHub code scanning alerts, and security campaigns based on what’s deployed or exposed in production, including:

  • artifact-registry and artifact-registry-url
  • has:deployment and runtime-risk

Combine these with existing filters like EPSS and CVSS scores to focus your remediation efforts on the vulnerabilities that matter most.

  • Artifact attestations: GitHub’s attest-build-provenance action can automatically create storage records when you publish artifacts.
  • Partner integrations: Microsoft Defender for Cloud and JFrog Artifactory can send records directly to GitHub.
  • REST API: Upload storage and deployment records programmatically for any artifact, from any source.

Additional resources

Join the discussion in GitHub Community.