File Integrity in CI/CD Pipelines
How to verify artifact hashes in CI/CD — Docker image digests, npm lockfiles, and build verification.
Published:
Tags: file integrity CI/CD, CI artifact hash verification, supply chain security checksums
File Integrity in CI/CD Pipelines A build pipeline that downloads dependencies, base images, or release artifacts without hash verification is a supply chain attack surface. This guide shows concrete patterns for verifying artifact integrity at each stage of a CI/CD workflow. --- Why do Pipelines Need Hash Verification matter? Every external dependency in your pipeline — base Docker images, npm packages, downloaded binaries, cloud provider CLI tools — is a potential attack vector. Supply chain attacks have grown dramatically since 2020: The SolarWinds attack injected malicious code into a build pipeline. Dependency confusion attacks trick package managers into downloading attacker-controlled packages. Compromised CDN mirrors serve modified binaries with legitimate URLs. Hash verification…
Frequently Asked Questions
How do I verify file hashes in GitHub Actions?
Use the `sha256sum --check` command in a run step. Download the file and the expected checksum file from a trusted source, then run `sha256sum --check checksums.txt`. The step fails if any hash does not match, blocking the pipeline.
What is supply chain security for builds?
Supply chain security for builds means ensuring that every dependency, base image, and tool your pipeline uses is the exact version you intended — verified by hash or cryptographic signature. SLSA (Supply-chain Levels for Software Artifacts) is a framework published by Google and the OpenSSF for formalizing these guarantees.
How do I pin Docker images with SHA digests?
Use the image digest instead of a tag: `FROM ubuntu@sha256:abc123...` in your Dockerfile. Docker tags are mutable (they can be updated to point to a new image), but a content-addressed digest is immutable. Pull the digest with `docker pull ubuntu:22.04 && docker inspect ubuntu:22.04 | grep -i digest`.
What is npm lockfile integrity?
Each entry in package-lock.json includes an `integrity` field containing a Subresource Integrity (SRI) hash (e.g., `sha512-abc...`). When you run `npm ci`, npm computes the hash of each downloaded tarball and compares it to the lockfile value, refusing to install if they differ.
What is reproducible builds?
Reproducible builds is a practice where the same source code always produces the exact same binary artifact when built with the same tools and environment. It allows independent verification that a published binary matches its source code. The Reproducible Builds project documents techniques for achieving this across language ecosystems.
All articles · theproductguy.in