Now Available: Evidence Collection with JFrog
Instill trust in your software releases with centralized attestation evidence
There is an increasing need for traceability and attestation of the actions taken as software moves across the SDLC. Emerging regulations and policies around secure software development are rapidly evolving, and it’s important to stay ahead of the changing landscape.
Some organizations have taken a proactive approach with home-grown solutions or manual processes, but despite best efforts, these solutions often lack scale and eventually falter over time. And inevitably, there’s increasing friction between DevSecOps, GRC, and Development teams, which makes the situation more challenging.
The web of evidence generated and collected for software releases
Introducing Evidence Collection
JFrog’s new Evidence Collection functionality allows development teams to enrich artifacts, builds, packages, and Release Bundles with signed attestation metadata that can be easily tracked and verified for governance and compliance purposes.
Collect end-to-end evidence across your SDLC
Evidence Collection with the JFrog Platform generates an audit trail that documents all the security, quality, and operational steps taken to produce a production-ready software release. Developers can seamlessly consolidate information from all the tools and platforms used in software development into a trusted single source of truth.
Benefits of Evidence Collection with JFrog
Ensure Release Readiness of Software – Easily capture proof of the process software went through as it matured for release, inclusive of all tests, approvals, environments, and actions taken across the SDLC.
The Single Source of Truth for Attestation – Return time to development and compliance teams by eliminating the need to search across multiple systems for attestation data.
Simplify Auditing and Compliance – Evidence metadata follows the artifact for its entire lifespan and is easily exportable for auditing purposes. Use attestation metadata for governance across the entire software development lifecycle and software supply chain.
How It Works
Evidence Collection is designed to be baked into your CI process. With a simple bash script you can start capturing evidence and attaching it to your artifacts via the JFrog CLI or using JFrog’s APIs; the evidence follows the subject throughout the promotion process as an attached evidence file.
Example: Run an Integration Test and attach the result as evidence using JFrog CLI commands
- name: Integration Test
run: |
source scripts/itest.sh
iTest ${{ vars.VERSION }} > itest_results.json
cat itest_results.json
# Check if there are any failed tests in itest_results.json
if grep -q '"status": "failed"' itest_results.json; then
exit 1
fi
JF_LINK="${{ vars.JF_URL }}/ui/artifactory/lifecycle/?bundleName=${{ vars.BUNDLE_NAME }}&bundleToFlash=${{ vars.BUNDLE_NAME }}&releaseBundleVersion=${{ vars.VERSION }}&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
echo "Test on Release bundle [${{ vars.BUNDLE_NAME }}:${{ vars.VERSION }}](${JF_LINK}) success" >> $GITHUB_STEP_SUMMARY
jf evd create \
--release-bundle ${{ vars.BUNDLE_NAME }} \
--release-bundle-version ${{ vars.VERSION }} \
--predicate ./itest_results.json \
--predicate-type https://jfrog.com/evidence/integration-test/v1 \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias CI-RSA-KEY \
--project ${{ vars.PROJECT }}
echo " Evidence attached: integration-test " >> $GITHUB_STEP_SUMMARY
Evidence attached to a Release Bundle is viewable via an evidence graph, which consists of a visual snapshot of all evidence artifacts, subjects, and their relationships.
Evidence Graph view
You can also view a list of evidence files for a specified artifact.
Evidence files attached to an artifact
And of course you can query and export evidence results as part of auditing activities.
To accelerate Evidence Collection implementation, we have a number of script examples available on GitHub.
Take Evidence Further with Release Lifecycle Management
While we’ve built Evidence Collection to work standalone, pairing it with Release Lifecycle Management unlocks the ability to create quality control gates necessary to trust the contents and process of your releases.
With immutable release candidates advanced towards production based on the presence of attestation evidence, organizations can be sure that all software has gone through the required processes, meet appropriate standards, and haven’t been tampered with.
Learn more at our live Release Lifecycle Management + Evidence Collection Masterclass.
Register for the Masterclass >Get Started with Evidence Collection
Third-party evidence collection is now available for JFrog Cloud Enterprise + subscription holders, and will be available for Self Hosted customers later this quarter. Get started today to establish governance on your software supply chain. To learn more, take a tour of our platform and check out the Release Lifecycle Management tour. Once you’re ready, speak to a specialist from the JFrog team.
For technical information about Evidence Collection, visit the Help Center.