The following examples demonstrate how to use the Get Evidence API effectively:
Example 1: Retrieve the full predicate
This query uses getEvidence to retrieve the predicate JSON so that you can inspect the contents of the specified evidence record.
Query:
query GetEvidencePredicate {
evidence {
getEvidence(
repositoryKey: "generic-local"
path: ".evidence/path/to/my-artifact.zip/security-scan-123.json"
name: "security-scan-123.json"
) {
predicateType
predicate # <-- This contains the full JSON payload
}
}
}
cURL Request:
curl -X POST -H "Authorization: Bearer <YOUR_TOKEN>" -H "Content-Type: application/json" \
https://<YOUR_JFROG_URL>/onemodel/api/v1/graphql \
--data '{
"query": "query GetEvidencePredicate { evidence { getEvidence(repositoryKey: \"generic-local\", path: \".evidence/path/to/my-artifact.zip/security-scan-123.json\", name: \"security-scan-123.json\") { predicateType predicate } } }"
}'
Sample Response:
{
"data": {
"evidence": {
"getEvidence": {
"predicateType": "https://jfrog.com/evidence/security/scan/v1",
"predicate": {
"scanner": {
"name": "JFrog Xray",
"version": "4.2.0"
},
"summary": {
"critical": 5,
"high": 12,
"medium": 3,
"low": 0
},
"issues": [
{
"cve": "CVE-2023-12345",
"severity": "Critical",
"component": "log4j:log4j:1.2.17"
}
]
}
}
}
}
}Example 2: Get evidence and verify signing information
This example fetches a specific evidence record and its signing key details. In a real-world script, you would use the returned publicKey to programmatically verify the evidence signature, which is downloaded separately.
Query:
query GetAndVerifySignature {
evidence {
getEvidence(
repositoryKey: "generic-local"
path: ".evidence/path/to/my-artifact.zip/sbom-456.json"
name: "sbom-456.json"
) {
name
verified # <-- Check if JFrog has already verified it
signingKey {
alias
publicKey # <-- Use this key for external verification
}
}
}
}