Attach External Evidence

In addition to the evidence that Artifactory and Xray create automatically (for example, when promoting or distributing a Release Bundle v2), you can take external evidence, which attests to processes performed outside of Artifactory, and attach that evidence to an evidence subject (for example, an artifact, package, or build) deployed in Artifactory.

The recommended best practice is to attach evidence to artifacts, packages, or builds until you create a Release Bundle v2 containing those artifacts or builds. At that point, any further evidence related to the artifacts, packages, or builds should be attached directly to the Release Bundle.

One way to attach external evidence is with the Create Evidence JFrog CLI command. This command creates a properly structured payload that conforms to the in-toto attestation framework, wraps it in a DSSE envelope, and then deploys the evidence file to Artifactory. Server-side verification is performed automatically during deployment provided the relevant public key is present in Artifactory. For more information, see Evidence Service.

Alternatively, you can create evidence using a third-party tool and then deploy it to Artifactory with the Deploy Evidence API. When using this method, you must ensure that your evidence file has a payload that conforms to the in-toto attestation framework and an envelope that conforms to the DSSE framework.Deploy Evidence

View External Evidence

There are multiple options for viewing external evidence in Artifactory: