Subscription Information
The ability to collect internal evidence generated by Artifactory requires a Pro license or above. Internal evidence generated by Xray requires a Pro X license or above.
The ability for users to attach external evidence to Artifactory requires an Enterprise+ license.
Artifactory enables you to attach evidence (signed metadata) to a designated subject, such as an artifact, build, package, or Release Bundle v2. These evidence files act as attestations, providing a signed and verified record of an external process performed on the subject, for example, test results, vulnerability scans, and official approvals.
JFrog's Evidence service generates an audit trail that documents all the security, quality, and operational steps performed to produce a production-ready software release. It provides a seamless way to consolidate information from the tools and platforms used in software development into a single source of truth that you can track and verify for governance and compliance.
Note
The Evidence Collection service requires Artifactory release 7.104.2 or later.
You can use any tool to create and sign evidence about a process in your software development lifecycle (SDLC). Collectively, these evidence files can be used to maintain a complete record of your SDLC.
In addition, Artifactory creates internal evidence associated with Release Lifecycle Management operations, such as Release Bundle v2 promotion and distribution. When integrated with JFrog Xray, each Release Bundle v2 promotion results in the creation of additional evidence, such as scan results and an SBOM.
Evidence management enables you to:
Attach evidence to an artifact, package, build, or Release Bundle v2 using a REST API or the JFrog CLI.
View evidence in graphical form and in a table in the Artifacts tree.
Query evidence via GraphQL APIs. These queries can return the list of evidence files attached to a particular subject and return the contents of a specific evidence file. For more information, see Search Evidence and Get Evidence.
Create and apply policies in external applications (for example, Open Policy Agent) that use the information contained in evidence files to block Release Bundle promotions that violate those policies.
Relationship Between Evidence Files and Subjects
Each evidence subject can have one or more evidence files attached to it. Each evidence file, however, may have only one subject. That subject must reside in a local or Federated repository.
After an evidence file has been attached to a subject (for example, an artifact or Release Bundle v2), the evidence follows the subject as it is promoted towards production. If a subject is copied or moved within Artifactory, its evidence is copied or moved with it.
Users can delete evidence files without affecting the subjects of those files. However, when a subject is deleted from Artifactory, all of its evidence is deleted as well. If the subject is later restored from the Trash Can, the associated evidence is restored. Evidence files cannot be restored from the Trash Can without also restoring their subject.
To Learn More
For more information about the ways you can manage evidence in Artifactory, see Working with Evidence.
For more information about the structure of evidence files, see Understanding Evidence Files.