Get Evidence

Description: Returns the requested data for a single, known evidence file as defined by the One Model GraphQL query. Use the getEvidence query when you know the exact location of the evidence file you want to retrieve. This is useful for fetching the details of a specific attestation after you have identified it.

Important

When operating in a Self-Hosted environment, you must enable the Evidence service in the system.yamlArtifactory System YAML file as a prerequisite to using this endpoint. Add the following:

evidence:
  enabled: true

Tip

Use the Search Evidence API to return data about all the evidence files associated with a particular subject.

Since: 7.104.2

Security: Requires a valid token; requires Read permissions to the subject repository

Usage: POST /onemodel/api/v1/graphql

Sample query:

query {
  evidence {
    getEvidence(
      repositoryKey: "my-repo-key"
      path: "path/to/artifact/artifact-name.zip"
      name: "security-scan.json"
    ) {
      # Fields to retrieve
      predicateType
      verified
      predicate
    }
  }
}

Argument	Required/Optional	Type	Description
`repositoryKey`	required	string	The repository key where the evidence is stored.
`path`	required	string	The full path to the evidence file.
`name`	required	string	The name of the evidence file.
`sha256`	optional	Sha256	The SHA-256 checksum of the subject (can be used for precise matching).

Detailed Object Types

The object types that you include in the search query determine which data is returned about the evidence file.

Evidence Type

This type represents a single evidence record.

Field	Type	Description
`downloadPath`	string	The full path for downloading the evidence JSON file.
`name`	string	The name of the evidence file (for example, sbom.cyclonedx.json).
`sha256`	sha256	The checksum of the evidence file.
`subject`	EvidenceSubject	Details about the evidence subject.
`predicateType`	string	The URI type associated with the predicate.
`predicateSlug`	string	A simplified version of the `predicateType` provided for better readability. For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle.
`predicate`	JSON	The contents of the claims contained in the evidence file. For more information, see Evidence Payload.Evidence Payload
`createdAt`	date	The timestamp of when the evidence file was created.
`createdBy`	string	The user or server who created the evidence.
`verified`	boolean	Indicates whether the evidence signature has been verified using the public key.
`signingKey`	EvidenceSigningKey	The name of the public key used to verify the evidence.
`providerId`	string	The ID of the system that provided the evidence.

EvidenceSubject Type

This type describes the artifact or build that represents the evidence subject.

Field	Type	Description
`repositoryKey`	string	The repository that contains the subject.
`fullPath`	string	The full path to the file (<repositoryKey>/<path>/<name>).
`name`	string	The filename of the subject.
`sha256`	sha256	The checksum of the subject.

EvidenceSigningKey Type

This type represents the key used to sign the evidence.

Field	Type	Description
`alias`	string	The alias of the signing key (for example, GPG-RSA).
`publicKey`	string	The public key used to verify the evidence signature.

Note

For details about fields that are common across all One Model domains, see One Model GraphQL Common Patterns and Conventions.

Status Codes:

Code	Message	Description
200	OK	The request was successful.
401	Bad Credentials	The request failed because the authentication token is invalid or expired.
403	Permission Denied	The request failed because the authenticated user does not have the required Read permissions for the subject repository.

Tip

For use cases and examples, see Get Evidence - Examples