Software delivery startup Harness Inc. announced today the general availability of Artifact Registry, a new product release that securely manages software packages within the integration and delivery lifecycle.

The Harness Artifact Registry works with any file or collection of files generated during the development lifecycle, serving as a tangible way to track the build, test and deployment process. These machine-generated outputs can be compiled binaries, container images or configuration files — all the outputs created during the development process.

They are stored centrally and managed to ensure consistency from development to production. According to Harness, the vision of the artifact registry is to maintain management as close to development as possible so that developers do not need to leave their development cycle to access their workflow.

The company said the concept began as a concept within Harness and moved rapidly from a concept to a core product. It started with a single design partner and rapidly expanded to double enterprise partners pre-GA.

Today, Artifact Registry supports a broad range of formats, including containers, package ecosystems and artificial intelligence models, including Docker, Helm, Python, Go, NuNet, Dart, Conda and more, with additional support on the way.

Harness likened the current industry problem to artifacts being similar to LEGO or Tinkertoy constructs, which serve as the scaffolding for completing software projects. Builds generate them, rollbacks depend on them and governance decisions refer to them. However, registries traditionally operate as external storage and remain disconnected from integration and delivery or policy enforcement.

This separation has taken a critical role in addressing security issues, such as supply chain attacks, where malicious code can be embedded in trusted binaries that can infiltrate thousands of organizations. The Solarwinds WorldWide LLC breach discovered in 2020 became the quintessential headline for how such code can have profound effects on every downstream user of its software. More recently, Shai-Hulud compromised hundreds of npm packages across thousands of repositories.

To combat this, Harness adds security scanning as a built-in process as part of registry work because it’s part of the integration and delivery lifecycle. Instead of stitching together fragmented tools to develop, build, test and deploy, everything happens together under one roof, including the use of artifacts that provide proactive risk management applied at the earliest possible stage, rather than after an issue surfaces.

On the security side, Artifact Registry uses a dependency firewall, a registry-level enforcement control to check dependencies for vulnerabilities. This means that instead of a downstream continuous integration scan after a package is added to a build, the firewall evaluates requests in real time as artifacts are added to the registry. That means they get checked as they’re brought on board and updated. Policies can also automatically block components with known issues, license violations, excessive severity thresholds or untrusted sources before they are brought on board.

Anything that falls outside of policy or automated checkup can be quarantined for a human checkup in order to catch edge cases.

The company said today’s general availability of Artifact Registry is only the beginning and it will remain a core pillar of the platform. Harness intends to expand package ecosystem support, add advanced lifecycle management and auditing capabilities, enhance integration with security tools and the developer portal, and add AI-powered agents for open-source software governance and automation.

Photo: Pixabay