Description: Returns the requested data for a single, known evidence file as defined by the One Model GraphQL query. Use the getEvidence query when you know the exact location of the evidence file you want to retrieve. This is useful for fetching the details of a specific attestation after you have identified it.
Important
When operating in a Self-Hosted environment, you must enable the Evidence service in the system.yaml file as a prerequisite to using this endpoint. Add the following:
evidence: enabled: true
Tip
Use the Search Evidence API to return data about all the evidence files associated with a particular subject.
Since: 7.104.2
Security: Requires a valid token; requires Read permissions to the subject repository
Usage: POST /onemodel/api/v1/graphql
Sample query:
query {
evidence {
getEvidence(
repositoryKey: "my-repo-key"
path: "path/to/artifact/artifact-name.zip"
name: "security-scan.json"
) {
# Fields to retrieve
predicateType
verified
predicate
}
}
}
Argument | Required/Optional | Type | Description |
|---|---|---|---|
| required | string | The repository key where the evidence is stored. |
| required | string | The full path to the evidence file. |
| required | string | The name of the evidence file. |
| optional | Sha256 | The SHA-256 checksum of the subject (can be used for precise matching). |
Detailed Object Types
The object types that you include in the search query determine which data is returned about the evidence file.
Evidence Type
This type represents a single evidence record.
Field | Type | Description |
|---|---|---|
| string | The full path for downloading the evidence JSON file. |
| string | The name of the evidence file (for example, sbom.cyclonedx.json). |
| sha256 | The checksum of the evidence file. |
| EvidenceSubject (see below) | Details about the evidence subject. |
| string | The URI type associated with the predicate. |
| string | A simplified version of the For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle. |
| JSON | The contents of the claims contained in the evidence file. For more information, see Evidence Payload. |
| date | The timestamp of when the evidence file was created. |
| string | The user or server who created the evidence. |
| boolean | Indicates whether the evidence signature has been verified using the public key. |
| EvidenceSigningKey (see below) | The name of the public key used to verify the evidence. |
| string | The ID of the system that provided the evidence. |
EvidenceSubject Type
This type describes the artifact or build that represents the evidence subject.
Field | Type | Description |
|---|---|---|
| string | The repository that contains the subject. |
| string | The directory path of the subject. |
| string | The filename of the subject. |
| sha256 | The checksum of the subject. |
EvidenceSigningKey Type
This type represents the key used to sign the evidence.
Field | Type | Description |
|---|---|---|
| string | The alias of the signing key (for example, GPG-RSA). |
| string | The public key used to verify the evidence signature. |
Note
For details about fields that are common across all One Model domains, see One Model GraphQL Common Patterns and Conventions.
Status Codes:
Code | Message | Description |
|---|---|---|
200 | OK | The request was successful. |
401 | Bad Credentials | The request failed because the authentication token is invalid or expired. |
403 | Permission Denied | The request failed because the authenticated user does not have the required Read permissions for the subject repository. |
Use Cases and Examples
The following examples demonstrate how to use the Get Evidence API effectively.
Example 1: Retrieve the full predicate
This query uses getEvidence to retrieve the predicate JSON so that you can inspect the contents of the specified evidence record.
Query:
query GetEvidencePredicate {
evidence {
getEvidence(
repositoryKey: "generic-local"
path: ".evidence/path/to/my-artifact.zip/security-scan-123.json"
name: "security-scan-123.json"
) {
predicateType
predicate # <-- This contains the full JSON payload
}
}
}
cURL Request:
curl -X POST -H "Authorization: Bearer <YOUR_TOKEN>" -H "Content-Type: application/json" \
https://<YOUR_JFROG_URL>/onemodel/api/v1/graphql \
--data '{
"query": "query GetEvidencePredicate { evidence { getEvidence(repositoryKey: \"generic-local\", path: \".evidence/path/to/my-artifact.zip/security-scan-123.json\", name: \"security-scan-123.json\") { predicateType predicate } } }"
}'
Sample Response:
{
"data": {
"evidence": {
"getEvidence": {
"predicateType": "https://jfrog.com/evidence/security/scan/v1",
"predicate": {
"scanner": {
"name": "JFrog Xray",
"version": "4.2.0"
},
"summary": {
"critical": 5,
"high": 12,
"medium": 3,
"low": 0
},
"issues": [
{
"cve": "CVE-2023-12345",
"severity": "Critical",
"component": "log4j:log4j:1.2.17"
}
]
}
}
}
}
}Example 2: Get evidence and verify signing information
This example fetches a specific evidence record and its signing key details. In a real-world script, you would use the returned publicKey to programmatically verify the evidence signature, which is downloaded separately.
query GetAndVerifySignature {
evidence {
getEvidence(
repositoryKey: "generic-local"
path: ".evidence/path/to/my-artifact.zip/sbom-456.json"
name: "sbom-456.json"
) {
name
verified # <-- Check if JFrog has already verified it
signingKey {
alias
publicKey # <-- Use this key for external verification
}
}
}
}