An artifact is a built software package ready for deployment or distribution, such as a JAR file, container image, or release archive. In Java ecosystems, the artifact is what actually runs in production, not the source code in version control. Its exact version, build hash, and signing status determine what code is exposed to users.
Artifact tracking matters in cyber security because attackers often target the software that is truly deployed, while defenders may only review declared dependencies or source branches. A vulnerable library buried in a transitive dependency, or an old container image still running in a cluster, can leave systems exposed even after developers believe they have patched the project. Good defense means inventorying artifacts, comparing live versions with fixed releases, validating rebuilds, and confirming that images and packages were signed and replaced everywhere they run.



