Improper Artifact Integrity Validation

This vulnerability occurs when build or deployment pipelines fail to verify the authenticity and integrity of artifacts (e.g., binaries, container images, or packages) before promotion or deployment. Attackers may tamper with artifacts in transit or compromise intermediate storage (artifact repositories, registries, caches), leading to execution of malicious code in production. Relying only on filenames, timestamps, or repository trust without cryptographic validation exposes the supply chain to substitution or replay attacks.

Remediation:

Enforce mandatory cryptographic signing (e.g., GPG, Cosign, Sigstore) of all build artifacts at creation time.
Verify signatures and checksums before artifact promotion or deployment; fail builds if validation is missing or invalid.
Restrict artifact repository access to signed uploads only, and configure clients to reject unsigned or unverified art

Metadata

Severity: low
Slug: improper-artifact-integrity-validation

CWEs

494: Download of Code Without Integrity Check
345: Insufficient Verification of Data Authenticity
353: Missing Support for Integrity Check
829: Inclusion of Functionality from Untrusted Control Sphere

OWASP

A08:2021: Software and Data Integrity Failures
A09:2021: Security Logging and Monitoring Failures

Available Labs

Open Github labs in SecDim Play for this vulnerability.

easy

Curl Eval.github

Other Easy Github Signature

medium

Dependency Confusion.github

Other Medium Github Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.