DevOps practicesIntermediate19 min read

What Is Artifact in DevOps?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

In software development, an artifact is something that gets created as part of building or testing your code. It could be a compiled program, a Docker image, a test report, or a configuration file. Think of it as the output you produce at each step that you can then use or hand off to the next stage.

Commonly Confused With

ArtifactvsBinary

A binary is a type of artifact, but not all artifacts are binaries. Artifacts include source code, test reports, log files, configuration files, and container images. A binary refers specifically to compiled machine code that can be executed directly.

An executable .exe file is a binary; a test result XML file is an artifact but not a binary.

ArtifactvsPackage

A package is a specific kind of artifact that is designed to be consumed as a dependency, like a NuGet package or an npm package. Not all artifacts are packages; for example, a deployment zip file is an artifact but not a package because it is meant for deployment, not as a library dependency.

A .nupkg file with a reusable library is a package; a .zip file containing a web app is an artifact for deployment.

ArtifactvsDeployment

Deployment is the process of taking an artifact and putting it into an environment. The artifact itself is the thing you deploy, not the action of deploying. Confusing the two leads to misunderstandings about pipeline stages: the build stage produces artifacts, the release stage consumes them.

You publish an artifact (the .zip file) in the build pipeline, then you deploy that artifact to a web server in the release pipeline.

ArtifactvsSnapshot

In some contexts, especially with databases or virtual machines, a snapshot is a point-in-time copy of an entire system state. An artifact in DevOps is usually a specific file or set of files from a build. Snapshots are often larger and include the runtime state, whereas artifacts are typically just the application code and configuration.

A VM snapshot captures the whole OS; a build artifact is just the compiled application.

Must Know for Exams

For the AZ-400 exam, artifacts are a core topic. The exam objectives under “Design a release strategy” and “Manage artifacts and dependencies” explicitly cover artifact types (build artifacts, package artifacts, container images), artifact storage options (Azure Artifacts, Azure Pipelines artifact store, Azure Container Registry), and artifact security (signing, scanning). You will see scenario-based questions where you must choose the right artifact publishing method.

For example, a question might describe a team that wants to share NuGet packages across multiple projects. The correct answer would involve setting up an Azure Artifacts feed with upstream sources. Another question might ask about optimizing download times for large artifacts in a release pipeline; the answer would be to switch from Build Artifacts to Pipeline Artifacts.

Questions also test your understanding of retention policies: you might be asked how to configure a policy that keeps only the last 10 successful builds and deletes artifacts older than 30 days. The exam may present a scenario where a team is having trouble reproducing a production bug because they cannot find the exact binary that was deployed. The solution is to ensure that every build publishes a versioned artifact and that the release pipeline uses that exact artifact.

You should also know the difference between continuous delivery (where artifacts are automatically deployed to staging) and continuous deployment (where they go to production). The depth of knowledge expected is at the level of selecting the appropriate tool and configuring it correctly. The AZ-400 exam uses multiple-choice, multiple-select, and sometimes drag-and-drop questions on this topic.

Being able to read a pipeline YAML and identify where artifacts are published or consumed is also helpful.

Simple Meaning

Imagine you are baking a cake. You start with ingredients like flour, eggs, and sugar. As you mix them, you create a batter. The batter is an intermediate product. After baking, you get the cake itself.

In software development, artifacts are like those intermediate and final products. When you write code, the first thing you do is save it in files. Those source code files are artifacts.

When you compile that code, the compiler produces a binary executable or a library, that is another artifact. You might also run tests, and the test results (a report or log file) are artifacts too. Finally, when you are ready to ship, you bundle everything into a deployment package or a container image; that is the release artifact.

Each artifact has a specific purpose: to be reviewed, to be tested, to be deployed, or to be archived. In DevOps, managing artifacts properly is critical. You need to store them in a central repository, version them, and make sure you can trace exactly which version of the source code produced which binary.

If a problem appears in production, you want to be able to go back to the exact artifact that was deployed and inspect it. In short, artifacts are the tangible results of every step in your build and release pipeline. Without them, you would have no way to share work between teams, reproduce builds, or roll back to a known good state.

Full Technical Definition

In the context of Azure DevOps and the AZ-400 exam, an artifact is any versioned, immutable output generated from a pipeline run. Artifacts can be build outputs (like .exe, .dll, .jar, .

war files), package files (.nupkg, .tgz), container images (Docker images), test results (TRX files), log files, or even environment configuration scripts. The key technical property of an artifact is that it is produced once and should not be modified after creation.

This immutability ensures traceability and reproducibility. In Azure Pipelines, the Publish Build Artifacts task copies selected files from the build agent’s workspace into a known location, typically the Azure Pipelines artifact store. Once published, the artifact is available for subsequent stages or releases.

Another common approach is to use the Copy Files task to stage files, then the Publish Build Artifacts task to upload them. Azure DevOps also supports symbolic links to the artifact store, allowing release pipelines to consume the exact same bits. For containerized applications, you would instead build a Docker image, tag it with a build ID, and push it to a container registry like Azure Container Registry.

That container image is the artifact. The concept extends to package management: NuGet packages, npm packages, and Maven artifacts are all stored in Azure Artifacts feeds. These feeds are backed by Azure Blob Storage and provide features like upstream sources, retention policies, and views.

From a security standpoint, artifacts should be signed and validated. Azure DevOps integrates with code signing tools and allows you to set up artifact scanning for vulnerabilities. In large enterprises, artifact management is governed by retention policies that automatically delete old artifacts after a set number of days or a specified number of latest artifacts to keep.

The official Azure DevOps documentation recommends using the Pipeline Artifacts feature (instead of Build Artifacts) for faster upload and download performance because it uses a different storage backend. Artifacts are the backbone of release management; they provide a reliable, traceable chain from code commit to production deployment.

Real-Life Example

Think about building a piece of custom furniture, like a bookshelf. You start with a design plan (the source code). Then you go to the hardware store and buy boards, screws, and glue (dependencies).

You cut the boards to size (compilation). At that point, you have pieces of cut wood, those are intermediate artifacts. You assemble the shelves, sand them, and apply varnish. Now you have a finished bookshelf, that is the final artifact.

If you are building multiple identical bookshelves, you want each one to be exactly the same. So you save the design plan and the cutting diagram, and you even keep one perfect bookshelf as the master copy. That way, if the next batch has a problem, you can compare it to the master.

In software, artifacts serve the same purpose: they are the exact, unchangeable snapshots of your work at each stage. If a bug is found in production, you can pull the exact artifact that was deployed, reproduce the issue, and fix it without having to guess which code version was in use. Without artifact management, you would be like a carpenter who builds a shelf, forgets the plan, and then tries to remember how it was made, unreliable and error-prone.

Why This Term Matters

In practical IT operations, artifacts are the link between development and operations. Without a clear artifact management strategy, teams face several problems. First, there is no traceability.

If a production incident occurs, the operations team cannot easily determine which version of the application is running, because the build output was never tagged or stored. Second, there is no reproducibility. If you need to rebuild a specific version to patch a vulnerability, you must be able to recreate the exact same binary from the exact same source code and dependencies.

Artifact repositories solve this by keeping immutable copies. Third, there is no release consistency. In a microservices architecture, you might have dozens of services, each with its own artifacts.

Without a central artifact store, each team might deploy slightly different versions, leading to integration failures. Azure Artifacts and similar systems allow teams to manage dependencies and share packages reliably. Finally, security auditing requires knowing exactly what was deployed and when.

Artifact management provides that audit trail. For companies under regulatory compliance (like SOC 2 or PCI DSS), having a proper artifact lifecycle with retention policies is mandatory. Artifacts matter because they bring discipline to the chaos of software delivery, enabling repeatable builds, safe deployments, and fast rollbacks.

How It Appears in Exam Questions

Artifact questions on the AZ-400 exam often appear as scenario-based multiple-choice problems. A typical pattern: "Your team develops a Java application and wants to store the compiled JAR files for each build. You need to enable other teams to consume these JARs as dependencies in their own builds.

Which service should you use?" The correct answer is Azure Artifacts with a Maven feed. Another pattern: "You have a release pipeline that deploys a .NET Core web app. The build pipeline produces a zip file.

The release pipeline needs to access that zip file. However, the deployment is failing because the file cannot be found. What is the most likely cause?" Options might include incorrect artifact name, missing Publish Build Artifacts task, or using the wrong trigger.

The answer involves checking that the artifact was published under the correct name. Another question type is about retention: "Your project has a policy that only the last 10 successful builds should be kept. However, artifacts from older builds are still available.

What should you do?" Answer: Configure a build retention policy in Azure Pipelines that sets the number of days to keep and the minimum number of successful builds. There are also questions about container artifacts: "You are using Docker containers and want to version your images.

Which tagging strategy should you use?" The answer is to tag images with the build ID and optionally a semantic version, and push them to Azure Container Registry. Finally, you may see troubleshooting questions where an artifact is missing because the pipeline stage that publishes it did not run due to conditions like 'only when a previous job succeeded' but the previous job failed.

Understanding pipeline logic is essential.

Study AZ-400

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A company called HealthTrack is developing a patient monitoring app. They use Azure DevOps for CI/CD. The development team writes code in C# and pushes it to an Azure Repos Git repository.

The build pipeline is triggered on every push to the main branch. The pipeline does the following: restores NuGet packages, compiles the solution, runs unit tests, and then publishes two artifacts: a web deployment package (a .zip file) and a test results report (a .

trx file). The web deployment package is named "HealthTrackApp.zip" and is published under the artifact name "drop". The release pipeline is configured to use the "drop" artifact from the build.

The release pipeline first deploys to a staging slot on Azure App Service, runs integration tests, and then swaps slots to production. One day, the operations team reports that the app in production has a bug that causes patient data to display incorrectly. The developer needs to reproduce the bug locally.

They go to the Azure Pipelines build history, find the build ID that corresponds to the production deployment, and download the exact "HealthTrackApp.zip" artifact. They deploy that artifact to a local IIS server, reproduce the bug, and fix the code.

The fix is committed, a new build runs, and a new artifact is produced. The release pipeline automatically deploys the new artifact to staging first, tests pass, and then to production. This example shows how artifacts provide traceability and enable efficient debugging.

Without the artifact, the developer would have had to guess which code version was in production, or ask the operations team to provide the deployed files manually.

Common Mistakes

Thinking artifacts are only the final compiled binaries.

Artifacts include everything produced during the pipeline: test results, logs, configuration files, Docker images, and even package feeds. Ignoring other artifacts means you miss important debugging data.

Always publish all relevant outputs from each stage, including test reports and logs. They help with troubleshooting and compliance.

Modifying an artifact after it has been published, for example by manually replacing files in the artifact store.

Artifacts must be immutable. Changing them breaks traceability, you no longer know exactly what was deployed. It also defeats the purpose of a build pipeline.

If you need a different artifact, create a new build. Use pipeline variables and versioning to differentiate builds. Never overwrite an existing artifact.

Not versioning artifacts or using the same artifact name for every build.

Without unique versioning, you cannot tell which artifact corresponds to which build. This makes rollbacks and debugging nearly impossible.

Automatically include the build ID or a semantic version in the artifact name or tag. In Azure Pipelines, you can use $(Build.BuildId) in the artifact name.

Confusing build artifacts with pipeline artifacts.

Build artifacts and pipeline artifacts are two different storage backends in Azure DevOps. Build artifacts use a legacy system with slower downloads, while pipeline artifacts are optimized for speed. Using the wrong one can cause performance issues.

For new pipelines, always use Pipeline Artifacts (the "Publish Pipeline Artifact" task) unless you have a specific requirement for Build Artifacts.

Assuming artifacts survive forever without configuring retention policies.

If you do not set retention policies, artifacts can accumulate and consume storage, leading to costs and clutter. Conversely, without policies, old artifacts may be deleted automatically after a default period, and you lose traceability.

Configure build retention policies that match your compliance requirements. For example, keep the last 20 successful builds and any builds less than 30 days old. For critical releases, mark artifacts as "retain indefinitely" manually.

Exam Trap — Don't Get Fooled

{"trap":"The exam may ask which artifact type to use for sharing packages across projects, and some answer choices will suggest \"build artifacts\" instead of \"Azure Artifacts feed.\"","why_learners_choose_it":"Learners might think that since build artifacts are the output of a build, they can be consumed by other projects by simply referencing the build artifact path. While technically possible, it is not the best practice for package management because build artifacts lack versioning, upstream sources, and dependency resolution."

,"how_to_avoid_it":"Remember that Azure Artifacts feeds are specifically designed for package management (NuGet, npm, Maven, etc.). For sharing reusable components, always use a feed.

Build artifacts are meant for deployment artifacts like compiled binaries or deployment packages, not for library dependencies."

Step-by-Step Breakdown

1

Commit code

A developer commits source code to a version control repository (like Azure Repos or GitHub). This triggers the build pipeline. The source code itself is the very first artifact, though it is stored in the repo, not in the artifact store.

2

Restore dependencies

The build pipeline runs a task to restore dependencies (e.g., NuGet restore). The downloaded packages are cached. These downloaded packages are technically artifacts, but they are usually not published because they can be restored from the original source. They are temporary artifacts on the build agent.

3

Build/compile

The source code is compiled into intermediate object files and then linked into a final executable or library. The compiler outputs are typically stored in a 'bin' or 'output' directory. These are the raw build artifacts.

4

Publish artifacts

A pipeline task (e.g., Publish Pipeline Artifact) copies the output files from the build agent to a persistent artifact store in Azure DevOps. The artifacts are named and versioned using build variables. This step makes the artifacts available for release pipelines or for manual download.

5

Consume artifacts in release

A release pipeline is configured to download the artifact from the artifact store. It can reference the artifact by the artifact name and version. The release pipeline then takes that artifact and deploys it to the target environment (e.g., Azure App Service, virtual machine, or Kubernetes cluster).

6

Retention and clean-up

After a set period or number of builds, old artifacts are automatically deleted based on retention policies. This prevents storage bloat. Critical artifacts can be marked for indefinite retention. This step is often overlooked but is important for compliance and cost management.

Practical Mini-Lesson

In a real-world Azure DevOps environment, managing artifacts goes beyond simply publishing files. You need to decide on a naming convention that includes the build number, branch name, and maybe the commit short hash. For example, you could name your artifact 'HealthTrackApp_$(Build.

SourceBranchName)_$(Build.BuildId).zip'. This makes it easy to identify the artifact's origin. You also need to handle multiple artifact types. A typical .NET Core application might publish a web deployment package and also a set of test coverage reports.

You could publish them as two separate artifacts, or bundle them into one archive. The best practice is to keep them separate: one artifact for the deployable code, and another for the reports, because they have different consumers. The release pipeline downloads only the deployable code, while a separate reporting tool might access the test results.

Another important aspect is artifact security. You should not include secrets (like connection strings or API keys) in artifacts. Use Azure Key Vault or pipeline variables to inject secrets at deployment time.

Also, consider signing your artifacts with a code signing certificate to ensure integrity. Some organizations require that all artifacts be scanned for malware and vulnerable components. You can integrate Azure Defender or third-party tools into the pipeline to scan artifacts before they are published.

When troubleshooting deployment failures, the first thing to check is the artifact: was it published correctly? Check the build logs to see if the Publish task succeeded. Also, verify the artifact name in the release pipeline matches exactly.

A common oversight is a mismatch in casing or spaces. Finally, understand the difference between pipeline artifacts and build artifacts. Pipeline artifacts use a newer, faster storage system.

If you have a build that produces very large files (over 1 GB), pipeline artifacts will significantly reduce download time. Always prefer pipeline artifacts for new pipelines. If you are migrating an older pipeline, change the publishes task from 'Publish Build Artifacts' to 'Publish Pipeline Artifact'.

Memory Tip

Think of artifacts as 'the take-away outputs' of each pipeline stage, they are the 'stuff' you hand to the next step. Artifact = Output that you keep.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the difference between a build artifact and a pipeline artifact?

Build artifacts are the older method of storing files from a build in Azure Pipelines. Pipeline artifacts are a newer, faster storage backend. Pipeline artifacts are recommended for all new pipelines because they offer better performance and reliability.

Can I delete an artifact after it has been released?

You can, but it is risky. If you delete an artifact and later need to roll back to that exact build, you will not be able to. It is better to configure retention policies to automatically delete old artifacts, but keep critical ones marked for indefinite retention.

How do I share an artifact across multiple projects?

For sharing build outputs like DLLs or deployment packages, you can publish the artifact in one project and then use the 'Download Build Artifacts' task in another project. For sharing library packages (NuGet, npm), use Azure Artifacts feeds that can be shared across projects.

What is the maximum size for a build artifact?

Azure Pipelines supports artifacts up to 2 GB per artifact and 100 GB total per pipeline run. If you exceed these limits, consider using alternative storage like Azure Blob Storage and referencing the files.

Do artifacts include Docker images?

Yes, Docker images are a type of artifact. In Azure DevOps, you typically build a Docker image and push it to a container registry like Azure Container Registry. You can also publish the Dockerfile and build context as a build artifact, but the image itself is stored in the registry.

How do I ensure my artifacts are secure and tamper-proof?

Use code signing to sign your binaries, integrate artifact scanning tools for vulnerabilities, and ensure that artifacts are immutable (never overwritten). Also, restrict access to the artifact store using Azure DevOps permissions.

What happens if my build fails but still publishes an artifact?

By default, tasks in Azure Pipelines run only if the previous task succeeded. If the build fails, subsequent tasks (including publishing) usually do not run. However, you can configure tasks to run even if a previous task fails. It is generally not recommended to publish artifacts from a failed build because they may be incomplete.

Summary

In the world of DevOps and Azure, an artifact is a cornerstone concept. It represents the tangible output of each step in the software delivery pipeline, from compiled binaries and deployment packages to test reports and container images. Understanding artifacts is not just about knowing what they are; it is about mastering how they are published, versioned, stored, secured, and consumed.

Effective artifact management ensures traceability, reproducibility, and reliability. When a production issue arises, having the exact artifact that was deployed allows teams to debug efficiently and roll back safely. In the AZ-400 exam, you will encounter artifact-related questions that test your ability to choose the right storage (Azure Artifacts vs.

Pipeline Artifacts), configure retention policies, and integrate artifact publishing into your pipelines. The key takeaway is to always version your artifacts, never modify them after publishing, and use appropriate tools for the type of artifact (packages vs. deployment archives).

By treating artifacts with the same rigor as source code, you build a robust and auditable release process.