Create Evidence

JFrog Artifactory Documentation
Products
JFrog Artifactory
Content Type
User Guide

Subscription Information

This feature is supported with the Enterprise+ license.

In addition to the evidence that Artifactory and Xray create automatically when performing operations in the JFrog platform (for example, promoting or distributing a Release Bundle v2), you can create evidence that attests to processes performed outside the JFrog platform, and attach that evidence to an evidence subject (for example, an artifact, package, or build) deployed in Artifactory.

The recommended best practice is to attach evidence to artifacts, packages, or builds until you create an application version or Release Bundle v2 version containing those artifacts or builds. At that point, any further evidence related to the artifacts, packages, or builds should be attached directly to the application version or Release Bundle.Application Version Management

You can use the following methods to create evidence and deploy it to the JFrog platform:

  • JFrog CLI: The Create Evidence JFrog CLI command. This command creates a properly structured payload that conforms to the in-toto attestation framework, wraps it in a DSSE envelope, and then deploys the evidence file to Artifactory. Server-side verification is performed automatically during deployment, provided the relevant public key is present in Artifactory. For more information, see Create Evidence using the JFrog CLI.Create Evidence CLI

  • REST APIs: The Prepare Evidence API streamlines the evidence creation process for users who do not use the JFrog CLI. It returns a payload the conforms to the in-toto attestation framework, which you sign and then deploy using the Deploy Evidence API. For an explanation of the complete workflow, see Create Evidence using REST APIs.Prepare EvidenceDeploy Evidence

  • Manual DSSE Creation: A more complex option is to create evidence using a third-party tool and then create the payload and envelope manually without the benefit of the Prepare Evidence CLI. When using this method, you must ensure that your evidence file has a payload that conforms to the in-toto attestation framework and an envelope that conforms to the DSSE framework. For more information, see Deploy Evidence Directly Using Your Own DSSE.