OCI Evidence

The Open Container Initiative (OCI) provides an open governance structure for standardized container formats and runtimes. JFrog’s Evidence Collection seamlessly collects OCI attestationsRead More >

following the in-toto and DSSE (Dead Simple Signing Envelope) specification, which includes OCI SLSA build attestations. These attestations are collected as evidence for application governance. Read Less >

OCI Evidence Integration Features

Frequently Asked Questions

What is the main purpose of the JFrog and OCI evidence integration?

The integration is designed to provide native support for OCI (Open Container Initiative) standards within JFrog Artifactory. It automatically collects signed OCI attestations as evidence, creating a clear and verifiable record for every OCI container image.

What does "native support for OCI" mean for Artifactory?

It means that JFrog Artifactory can fully manage and work with OCI container images, including complete support for the latest OCI v1.1 specification. This allows Artifactory to act as a central repository for OCI images, just as it does for other package types.

What are OCI SLSA build attestations?

OCI SLSA (Supply Chain Levels for Software Artifacts) build attestations are cryptographically signed statements that provide verifiable proof of how an OCI package was created. These attestations are automatically collected as evidence when OCI packages are pushed to Artifactory.

How does this integration improve traceability of OCI images?

By ingesting and displaying the OCI attestations, the JFrog Platform creates a clear audit trail of the container image’s build process. This provides full traceability, which is crucial for streamlining compliance reporting and ensuring the integrity of your container images.

Where is the OCI provenance data stored?

The signed OCI attestations are automatically collected into JFrog’s Evidence Collection, which holds all the verifiable proof related to your software, including the build provenance of your OCI containers, ensuring the data is permanently available for auditing and governance.

About OCI

The Open Container Initiative (OCI) is a lightweight, open governance structure (project), formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtimes.