Evidence Management

JFrog Artifactory Documentation
Products
JFrog Artifactory
Content Type
User Guide

Subscription Information

The ability to collect internal evidence generated by Artifactory requires a Pro license or above. Internal evidence generated by Xray requires a Pro X license or above.

The ability for users to attach external evidence to Artifactory requires an Enterprise+ license.

In the JFrog platform, evidence is signed metadata (often called an attestation) that attests to an action related to a designated subject, such as an artifact, a build, Release Bundle, or application version. Evidence serves as the unifying layer for proof and integrity across your entire software delivery lifecycle, empowering your organization to deliver trustworthy, compliant, and secure applications.

To use an analogy, evidence can be thought of as a verifiable digital passport for your binaries. Every time a binary crosses a border (meaning a defined stage in your organization's SDLC), a passport control agent (a tool such as JFrog Xray or GitHub Actions, for example) reviews the passport, signs off on it, and attaches an official, tamper-proof stamp (the attestation). This digital passport accompanies the binary throughout its journey in your SDLC, ensuring that auditors can view the complete, verified history of this binary without having to chase down papers of different types from multiple locations.

The Role of Evidence in a Secure and Compliant SDLC

For business leaders facing immense pressure to meet high standards of formal and internal regulations, relying on manual processes for software provenance is unsustainable and wastes developer time. JFrog Evidence is designed to solve these business and compliance challenges by providing the necessary proof required before moving forward with any release.

The Evidence service generates a comprehensive audit trail that documents all the security, quality, and operational steps performed to produce a production-ready software release. This centralized, trusted audit trail helps increase visibility, eliminate risk, and ensure release readiness. By capturing proof of the process software went through as it matured, inclusive of tests, approvals, and actions, Evidence helps teams ensure the release readiness of your software. Ultimately, this capability simplifies auditing and compliance tracking throughout each application’s lifespan, accelerating release decisions.

Core Principles: Attestation, Immutability, and Governance

JFrog Evidence is built upon three core pillars that guarantee the integrity and utility of the collected data:

  1. Attestation: Evidence files function as attestations. These are cryptographically signed metadata records that provide a signed and verified record of an external process performed on a subject, such as test results, vulnerability scans, or official approvals. These attestations are collected from various tools and are cryptographically verifiable.

  2. Immutability: The service maintains a single source of truth for this cryptographically signed attestation data that is attached to your release artifacts, providing immutability. This guarantees the integrity of the audit trail, saving time for teams and auditors by eliminating the need to search across multiple systems.

  3. Governance: The collection of verifiable data enables robust policy-based governance. This capability is crucial for automating Governance, Risk, and Compliance (GRC) efforts. Evidence can be reviewed to identify discovered issues and is used as the basis for policies that enable promotions within AppTrust and Release Lifecycle Management.

Evidence in the JFrog Ecosystem: A Platform-Wide Capability

Evidence is a platform-wide capability that collects information from anywhere in the SDLC to consolidate it into a single source of truth:

  • JFrog Artifactory: Artifactory acts as the anchor for the attestation by serving as the system of record. It enables users to attach evidence (signed metadata) to a designated subject, which can be an artifact, build, package, Release Bundle v2, or application version.

  • JFrog Xray: Xray is positioned as the platform's source of security evidence. When integrated with Xray, a Release Bundle v2 promotion results in the creation of additional evidence, such as scan results and an SBOM (Software Bill of Materials).

  • JFrog AppTrust: Evidence is an integral part of JFrog AppTrust, which automates software release governance, providing a central platform to manage security, compliance, and quality for enterprise applications by creating a single source of truth with evidence-based policies. By integrating with Artifactory, Xray, and partners like GitHub, AppTrust collects important software attestations—such as build attestations, test results, security scans, and approvals—as signed evidence. AppTrust delivers a trusted single source of truth for compliant application delivery by collecting cryptographically verifiable evidence and applying compliance policies across the SDLC.

  • Partner integrations: JFrog has teamed up with a variety of industry-leading partners to integrate evidence from their software directly in the JFrog Platform. For the list of integration partners, go to https://jfrog.com/integrations/ and select Evidence from the list of technologies.

Understanding Evidence Terminology

For more information about the terms and concepts related to evidence, see Evidence Glossary.