OCI Artifact Security

OCI artifacts extend the container registry model beyond images to store Helm charts, WASM modules, Cosign signatures, and SBOM attestations. As organizations adopt OCI registries as a universal artifact store, supply chain attacks targeting these non-image artifacts are rapidly increasing.

Verified by Precogs Threat Research
ocihelmwasmsupply-chainsbomUpdated: 2026-03-26

Beyond Container Images

The OCI Distribution Specification allows registries like Docker Hub, GitHub Container Registry, and AWS ECR to store arbitrary artifact types. Helm charts, Cosign signatures, Notation attestations, WASM binaries, and SBOMs are all stored as OCI artifacts. Each artifact type carries unique security risks — from unsigned Helm charts deploying privileged pods to WASM modules with memory-unsafe host function bindings.

Supply Chain Risks in OCI Artifacts

OCI artifacts are consumed by automation pipelines with minimal human review. A tampered Helm chart can deploy cryptominers alongside legitimate workloads. Unsigned WASM modules can execute arbitrary host calls. Malicious SBOM attestations can trick policy engines into approving vulnerable images. Without content-addressable verification (digest pinning), tag-based references are vulnerable to registry poisoning.

How Precogs AI Secures OCI Artifacts

Precogs AI inspects OCI artifacts stored in container registries — analyzing Helm chart templates for privilege escalation, scanning WASM binaries for memory corruption, verifying Cosign/Notation signature chains, and validating SBOM integrity. Our scanning covers the full OCI manifest, config, and layer blobs.

Attack Scenario: The Helm Chart Registry Poisoning

1

An organization stores all Helm charts as OCI artifacts in a private container registry.

2

An attacker compromises a CI/CD service account token with push access to the registry.

3

The attacker pushes a modified Helm chart to the same tag (e.g., v3.1.0) that adds a privileged init container running a cryptominer.

4

The GitOps controller (ArgoCD/Flux) detects the 'new' chart version and automatically deploys it to production.

5

The cryptominer runs as a privileged init container across 200 pods, consuming GPU resources and exfiltrating Kubernetes secrets.

Real-World Code Examples

Unsigned Helm Chart Deployment (CWE-345)

Helm charts stored as OCI artifacts can be silently replaced if the registry lacks immutable tags or access controls. Without cryptographic signature verification (Cosign, Notation), deployment pipelines blindly trust whatever artifact is stored at a given tag, enabling supply chain injection.

VULNERABLE PATTERN
# VULNERABLE: Deploying a Helm chart without signature verification
# An attacker who gains write access to the OCI registry can replace the chart
apiVersion: v2
name: payment-service
version: 3.1.0
# No provenance file (.prov) attached
# No Cosign signature verified before install
---
# deploy.sh
helm install payment-service oci://registry.example.com/charts/payment-service --version 3.1.0
SECURE FIX
# SAFE: Enforcing signature verification before deployment
# Verify Cosign signature on the OCI artifact
cosign verify \
  --key cosign.pub \
  registry.example.com/charts/payment-service:3.1.0

# Only deploy if verification passes
helm install payment-service \
  oci://registry.example.com/charts/payment-service \
  --version 3.1.0 \
  --verify

Detection & Prevention Checklist

  • Enforce Cosign or Notation signature verification on all OCI artifact pulls in CI/CD pipelines
  • Pin OCI artifact references by digest (sha256) rather than mutable tags
  • Enable registry immutable tags or content trust policies to prevent tag overwrites
  • Scan Helm chart templates for privileged containers, hostPath mounts, and excessive RBAC before deployment
  • Validate SBOM attestations against the actual image content to detect discrepancies
🛡️

How Precogs AI Protects You

Precogs AI scans OCI artifacts in container registries — verifying signatures, analyzing Helm chart templates for misconfigurations, inspecting WASM binaries for memory corruption, and validating SBOM attestation integrity before artifacts reach your clusters.

Start Free Scan

Related Weakness Types

CWE-494CWE-345CWE-829CWE-502

What are OCI artifacts and why are they a security risk?

OCI artifacts are non-image blobs (Helm charts, WASM modules, SBOMs, signatures) stored in container registries. They are consumed by automation pipelines and can introduce supply chain risks if unsigned, tampered, or maliciously crafted. Precogs AI validates their integrity and scans for embedded vulnerabilities.

Scan for OCI Artifact Security Issues

Precogs AI automatically detects oci artifact security vulnerabilities and generates AutoFix PRs.

Start Free Scan