Attestation: Evidence files function as attestations, which are cryptographically signed metadata records. They provide a signed and verified record of an external process performed on a subject, such as test results, vulnerability scans, or official approvals.
Audit trail: The Evidence service generates a comprehensive documentation that tracks all the security, quality, and operational steps performed to produce a production-ready software release. This centralized, trusted trail helps increase visibility, eliminate risk, and simplify auditing and compliance tracking.
DSSE (Dead Simple Signing Envelope): This is the cryptographic layer that wraps the payload after it has been signed using a private key. The signature within the DSSE is what makes the evidence verifiable and tamper-proof.
Evidence: Evidence is signed metadata that attests to an action related to a designated subject, such as an artifact or a build. It provides a signed and verified record of an external process performed on the subject, such as test results or vulnerability scans.
Governance: This capability is enabled by the collection of verifiable data, which is crucial for automating Governance, Risk, and Compliance (GRC) efforts. Evidence is reviewed to identify issues and serves as the basis for policies that enable promotions.
Immutability: This is a core principle of JFrog Evidence that guarantees the integrity of the audit trail. The service maintains a single source of truth for cryptographically signed attestation data attached to release artifacts, saving time for auditors and teams.
in-toto: The software integrity model upon which JFrog Evidence is based, providing a chain of evidence. This model verifies the integrity of your software, its components, and the process in which it was developed, built, and tested.
Markdown: This is an optional component of the evidence payload intended to provide a human-friendly rendering of the predicate's data. It is primarily for display in the JFrog Platform UI in the "Content" tab for easy readability.
Payload: This refers to the content of the attestation that is signed using a private key and then wrapped in a DSSE (Dead Simple Signing Envelope). The payload fundamentally contains the required Predicate (structured, authoritative data) and the optional Markdown field (human-friendly rendering).
Predicate: The predicate is the required, authoritative content of the attestation, which is a flexible, user-defined JSON object. It contains the structured data proving an action occurred and is the source of truth for automated systems and policy checks.
Predicate Type: This is a unique, URL-style identifier that acts as a schema or category for the evidence. This definition allows for programmatic querying and policy enforcement based on the specific type of evidence.
Subject: The Evidence subject is the entity in Artifactory that the evidence describes, such as an artifact, package, or build, and acts as the anchor for the attestation. Evidence is attached to this designated subject and travels with it when copied or moved.