Integrity Violation Explainability
Runtime continuously monitors running container images for integrity discrepancies by comparing them against their source artifacts in JFrog Artifactory. When a violation is detected, Runtime provides a detailed explainability view that helps security teams understand what happened, where it happened, and what to do about it.
Integrity violations are detected automatically — no additional configuration is required beyond having Runtime installed and connected to your JFrog Platform.
Why Integrity Matters
Container images in production should match the artifacts that were built, tested, and stored in Artifactory. When they don't, it could mean:
- An image was tampered with in transit or at the node level
- An unauthorized image was deployed outside the approved CI/CD pipeline
- A validated artifact was deleted from the registry while still running in production
- A mutable tag (like
latest) was overwritten, causing a drift between what's running and what's stored
Runtime detects these scenarios and classifies them into three violation types, each with a severity level reflecting the urgency of response.
Violation Types
Digest Mismatch — Critical
What it means: The SHA256 digest of the image running in your cluster does not match the digest stored in Artifactory for the same image tag.
Why it's Critical: This discrepancy indicates potential image tampering, a man-in-the-middle attack during image pull, or a mis-deployment event where the wrong artifact was pulled. The binary running in your cluster is not the binary that was scanned and approved.
Evidence displayed:
| Field | Description |
|---|---|
| Runtime Digest (Actual) | The SHA256 digest of the image currently running in the cluster |
| Artifactory Digest (Expected) | The SHA256 digest stored in Artifactory for this image tag |
Both digests include copy-to-clipboard functionality. The Artifactory digest provides a direct link to view the artifact in Artifactory for further investigation.
Triggered when: integrity_status = InvalidImageIntegrity and the image tag is immutable (e.g., v1.0.0, 1.2.3-alpine, semver patterns, commit SHAs).
Recommended actions:
- Treat as a security incident. The image may have been modified in transit or at the node level.
- Trace the source. Check the Deployed By and Build Owner fields in the Image Details view to contact the responsible engineer.
- Isolate the workload to prevent further exposure.
- Force a redeployment of the pod to pull the correct verified image from Artifactory.
Missing Source — High
What it means: The image is actively running in your cluster, but the source artifact could not be found in the Artifactory registry.
Why it's High: Without the source artifact, JFrog Xray cannot scan the image for vulnerabilities, meaning you are blind to any new CVEs. This may indicate the artifact was deleted (accidentally or by a cleanup policy), or that an unapproved image was sideloaded into the cluster, bypassing Artifactory entirely (Shadow IT).
Evidence displayed:
| Field | Description |
|---|---|
| Status | "Artifact Not Found" — the artifact does not exist in Artifactory |
| Registry Path | The path where the artifact was expected to be found |
Triggered when: integrity_status = InvalidImageSource.
Recommended actions:
- Check retention policies. Verify if the artifact was deleted by a cleanup policy or pruning job while the application was still live.
- Validate origin. Confirm whether this image was deployed directly to the cluster, bypassing the Artifactory registry.
- Assess risk. Since the source is missing, Xray cannot scan this artifact — you are blind to new vulnerabilities.
- Remediate:
- If deleted in error: Restore the artifact from the Artifactory Trash Can, or rebuild and push it to Artifactory.
- If unauthorized: Terminate the workload immediately.
Post-Deployment Tag Update — Medium
What it means: The source image tag was updated in Artifactory after this running instance was deployed to the cluster. The code running in production differs from the code currently stored under this tag in Artifactory.
Why it's Medium: This typically indicates the use of mutable image tags (e.g., latest, main, dev) where a CI/CD pipeline pushed a new build to the same tag without triggering a redeployment. While not necessarily malicious, it means your running environment has drifted from what's stored in Artifactory, which can cause confusion during incident response and makes it harder to reproduce issues.
Evidence displayed:
| Field | Description |
|---|---|
| Deployment Time | When the image was originally deployed to the cluster |
| Tag Update Time | When the image tag was updated in Artifactory |
| Time Difference | The elapsed time between deployment and the tag update (displayed as a badge between the two timestamps) |
| Runtime Digest (Actual) | The SHA256 digest of the currently running image |
| Artifactory Digest (Expected) | The SHA256 digest now stored in Artifactory for this tag |
The timeline visualization shows the deployment and update events with an arrow and time difference badge, making it easy to see when the drift occurred.
Triggered when: integrity_status = InvalidImageIntegrity and the image tag is mutable (e.g., latest, main, master, dev, develop, staging, stable, nightly, edge, canary, alpha, beta, rc, snapshot, head).
Recommended actions:
- Check CI/CD activity. Verify if a pipeline recently pushed a new build to the same tag without triggering a deployment to this cluster.
- Short-term fix: Restart the workload to pull the updated image from Artifactory. Ensure
imagePullPolicyis set appropriately (e.g.,Alwaysfor mutable tags). - Long-term fix: Switch to using immutable tags or digest-based deployments (SHA256) to ensure the running version always matches the tested version.
Explainability View Structure
When you open the Integrity Violation tab for an affected image, the view is organized into three collapsible sections:
1. Evidence — "What was found?"
Displays the forensic details that prove the violation exists. The content varies by violation type:
- Digest Mismatch: Side-by-side digest comparison with copy and Artifactory link
- Missing Source: Artifact Not Found status with registry path
- Post-Deployment Tag Update: Deployment-to-update timeline with time difference, plus digest comparison
2. Location — "Where is the Violation?"
Shows the exact infrastructure context:
| Field | Description |
|---|---|
| First Detected | When Runtime first identified the integrity discrepancy |
| Cluster | The Kubernetes cluster running the affected image |
| Namespace | The namespace containing the workload |
| Workload | The Kubernetes workload (Deployment, StatefulSet, DaemonSet, etc.) |
| Node | The specific cluster node running the container |
3. Recommendations — "What Steps are Recommended?"
Provides violation-specific remediation guidance including:
- Root cause investigation steps
- Immediate actions to contain the risk
- Long-term improvements to prevent recurrence
How to Access
- Navigate to Runtime > Live Assessment > Images.
- Look for images with the Integrity Violation risk badge.
- Click on the image tag to open Image Tag Details.
- Select the Integrity Violation tab.
You can also filter the Images table by the Integrity Violation risk to see only affected images. The Live Assessment Highlights widget on the Dashboard Overview shows the total count of integrity violations and affected images.
How Detection Works
Runtime compares running container images against Artifactory through the following process:
- Runtime sensors report the SHA256 digest of each running container image.
- The Runtime service looks up the corresponding artifact in Artifactory using the image name, tag, and registry path.
- The digests are compared:
- If the artifact is not found in Artifactory →
Missing Source - If the digests don't match and the tag is immutable →
Digest Mismatch - If the digests don't match and the tag is mutable →
Post-Deployment Tag Update - If digests match → no violation
- If the artifact is not found in Artifactory →
- When a violation is detected, the system records the violation type, both digests, timestamps, and the infrastructure location (cluster, namespace, workload, node).
Mutable Tag Detection
Runtime classifies the following tags as mutable: latest, main, master, dev, develop, development, staging, stage, stable, nightly, edge, canary, alpha, beta, rc, snapshot, head. Tag matching is case-insensitive.
All other tags — including semver patterns (e.g., v1.0.0, 1.2.3-alpine), commit SHAs, and date-based tags (e.g., release-20240101) — are treated as immutable.
Integration with Other Runtime Features
- Live Assessment Highlights: The integrity violations count appears in the Dashboard Overview highlights widget, showing the total number of violations and affected images across your environment.
- Workload Automation (Workers): Integrity violation events can trigger Workers for automated response (e.g., notify Slack, create a Jira ticket, trigger a redeployment). The event payload includes the violation type, image details, and workload context.
- Risk Filtering: The Integrity Violation risk key (
integrity_violation) can be used to filter workloads, images, and processes in the Live Assessment dashboard. - Untrusted Registry vs. Integrity Violation: These are distinct risks. Untrusted Registry means the image was pulled from an unverified registry. Integrity Violation means the image was expected in Artifactory but doesn't match or is missing. An image can have both risks simultaneously.
Updated about 20 hours ago