Skip to content
IRC-Coding IRC-Coding
artifact binary artifact SBOM signature semver container image

Artifacts & Binary Artifacts: Repository, Versioning & SBOM

Binary artifacts, immutability, release vs snapshot, checksums, signatures, SBOM, and promotion strategies for secure supply chains.

S

schutzgeist

2 min read
Artifacts & Binary Artifacts: Repository, Versioning & SBOM

Binary Artifacts and Artifacts

Internet Relay Chat und Linux-FAQs

IRC-Mania Die Seite rund um Sicherheit und Programmierung

Internet, Sicherheit , Internet Relay Chat

This article is a definition of terms on artifacts and binary artifacts – including exam questions, core components, and tags.

In a Nutshell

  • An artifact is any project result (documentation, model, test report, code).
  • A binary artifact is the machine-readable product of a build (executable, library, package, container image).

Compact Technical Description

Binary artifacts are created through compilation/linking/packaging/image builds, e.g.:

  • JAR, DLL, EXE
  • NPM package, Python wheel
  • Docker/OCI image

They are versioned and stored in an artifact repository – with metadata (version, commit, build number), checksums, and ideally signatures.

Important principles:

  • Immutability: Do not overwrite releases.
  • Build once, promote: the same artifact moves through Dev → Staging → Prod.
  • Supply-chain security: SBOM, scans, attestations.

Exam-Relevant Key Points

  • Clearly separate artifact from binary artifact
  • Release vs snapshot
  • Semantic versioning
  • Checksums/signatures/SBOM as evidence
  • Reproducible builds (lockfiles, fixed toolchain)
  • Policies before deployment (scans, signature verification)
  • Retention/archiving (compliance)

Core Components

  1. Source artifacts (code, IaC, documentation)
  2. Build system/packager/image builder
  3. Binary artifact formats
  4. Metadata (version/commit)
  5. Quality reports (tests/coverage/linter)
  6. Security (SBOM/scan/signature)
  7. Artifact repository/registry
  8. Promotion path
  9. Consumption (package managers/lockfiles)
  10. Governance (retention/ACL)

Practical Example (Container Release)

1) CI builds JAR + container image v1.4.0
2) Generate SBOM + SHA256 + signature
3) Push to registry/artifact repo
4) Deploy to staging, run tests
5) Approval -> promotion to prod (same artifact)
6) Release notes + retention (e.g. 12 months)
IRC-Security.de - Cybersecurity Portal

IRC-Security.de

Cybersecurity Artikel und Tutorials

Advantages and Disadvantages

Advantages

  • Traceability + reproducibility
  • Security through signatures/SBOM
  • Clean releases + rollbacks

Disadvantages

  • Storage and governance overhead
  • Tool complexity with many formats

Typical Exam Questions (with Brief Answers)

  1. Artifact vs binary artifact? Artifact = any result; binary artifact = build product.
  2. Why immutable releases? Reproducibility and security.
  3. What is SBOM for? Component/license/vulnerability transparency.

Most Important Sources

  1. https://reproducible-builds.org
  2. https://semver.org/lang/de
VPS Hosting Angebot

Premium VPS Hosting

Schnelle und sichere VPS Server
Back to Blog
Share:

Related Posts