Evidence Payload

The payload, which is the middle layer of the evidence file, is based on the in-toto attestation framework, as shown below. The payload contains the evidence predicate, which includes the actual contents of the evidence. The payload is wrapped inside the Evidence Envelope.

{
    "_type": "https://in-toto.io/Statement/v1",
    "subject": [
        {
            // Resource Descriptor
        }
    ],
    "predicateType": "{URL-Type}",
    "predicate": {
        // Predicate
    },
    "createdAt": "2222-01-01T00:00:00.000Z",
    "createdBy": "{username}",
    "markdown": {
                    // Predicate in markdown format
                }
}

The payload is comprised of the following elements:

Property	Description
`_type`	The `_type` for the JFrog platform is always `https://in-toto.io/Statement/v1`.
`subject`	Describes the entity associated with the evidence, as defined by its resource descriptor. Each evidence file must be associated with a single subject. For more information, see Evidence Resource Descriptor.
`predicateType`	A unique, URL-style identifier that serves as a schema or category for the evidence. The predicate type allows for programmatic querying and policy enforcement based on the evidence type. Internal predicate types created within Artifactory include: `https://jfrog.com/evidence/promotion/v1` `https://jfrog.com/evidence/distribution/v1` `https://cyclonedx.org/bom/v1.4` `https://spdx.dev/Document/v2.2` Examples of external predicate types include: `https://jfrog.com/evidence/test-results/v1` `https://jfrog.com/evidence/approval/v1` Note For more information about the CycloneDX standard, go here. For more information about the SPDX standard, go here.
`predicate`	Contains the actual body of the evidence file, which is comprised of arbitrary claims about the evidence subject. For more information, see Evidence Predicate.
`createdAt`	The timestamp when the evidence is created (not when it was deployed to Artifactory). Note This property is a JFrog extension to the standard defined by the in-toto framework.
`createdBy`	The user who created the evidence. Important The `createdBy` property for evidence is populated from the `user` value in your local jfrog-cli.conf file, not from the identity of the token used for authentication with the JFrog platform. Note This property is a JFrog extension to the standard defined by the in-toto framework.
`markdown`	Optionally contains the predicate in Markdown format. This is a human-friendly rendering of the data contained in the predicate, and is primarily designed to be viewed in the platform UI. Tip When using the JFrog CLI to create evidence, use the `--markdown` flag to create a markdown version of the predicate.

Evidence Resource Descriptor

The resource descriptor, which is a mandatory element of the evidence payload, consists of a checksum that represents the evidence subject.

{
    "digest": {
        "sha256": "ec87961dbf..."
    }
}

The resource descriptor contains a single element:

Property	Description
`digest.sha256`	The checksum of the evidence subject.

Note

Note

Important

Note

Tip

Evidence Resource Descriptor