Get Evidence

JFrog REST APIs
Content Type
REST API
ft:sourceType
Paligo

Description: Returns the requested data for the evidence file defined by the GraphQL query. Use the query to determine what data about the file is returned.

Tip

Use the Search Evidence API to return data about all the evidence files associated with a particular subject.

Since: 7.104.2

Security: Requires a valid token; requires Read permissions to the subject repository

Usage: POST /onemodel/api/v1/graphql

Sample Usage:

curl --location -X POST -H "Content-Type: application/json" -H "Authorization: Bearer *******" https://johnf.company.io/onemodel/api/v1/graphql -d '{"query":""}'

Sample query in GraphQL format (for readability):

{ 
   evidence {
      getEvidence( 
          name: "code-review-1740575440462.json") { 
      name
      path
      repositoryKey
	      downloadPath
      sha256
      predicateSlug
      predicateCategory
      predicateType
      predicate
      createdAt
      createdBy
      verified
      signingKey {
              subject {
		 repositoryKey
		 path
		 name
	      }
              sha256 
              predicateSlug 
              predicateCategory 
              predicateType 
              predicate
              createdAt 
              createdBy 
              verified
              signingKey {
                alias
              }
         }
   }
  }
}

Sample query after conversion to JSON (for purposes of execution):

{
  "query": "{ evidence { getEvidence( name: \"code-review-1740575440462.json\") { downloadPath subject { repositoryKey path name } sha256 predicateSlug predicateCategory predicateType predicate createdAt createdBy verified signingKey { alias } } }}"
}

Tip

Use a GraphQL to JSON body converter (available online) to create the proper payload for the REST API POST request. Alternatively, the GraphQL query can be used in tools such as GraphiQL.

The query uses the following criteria to determine which evidence file to include in the response:

Property

Sub-property

Mandatory/Optional

Description

downloadPath

optional

The full repository path of the evidence file, which can be used for downloading the file.

subject

 

The evidence subject.

 

repositoryKey

optional

The name of the repository that contains the evidence file.

 

path

optional

The directory path + filename of the evidence subject.

 

name

optional

The filename of the evidence file.

sha256

optional

The checksum of the subject.

The search query can include one or more of the following properties, which determine the data fields to return from the evidence file:

Property

Description

sha256

The checksum of the evidence file.

predicateSlug

A simplified version of the predicateType (after removing the http:// or https:// schema, the query string, the trailing version, and the jfrog.com domain) provided for better readability.

For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle.

predicateCategory

The category in which the evidence file is classified, as defined by the predicateType. Categories include:

  • Audit (for example, approvals)

  • Quality (for example, test results)

  • Security (for example, evidence related to SAST and code scans)

  • Workflow (for example, internal evidence relating to the promotion and distribution of Release Bundles)

  • Custom (other types of external evidence attached by the user)

predicateType

The URL type associated with the predicate. For more information, see Evidence Payload.Evidence Payload

predicate

The contents of the claims made in the evidence file.

createdAt

The timestamp of when the evidence file was created.

createdBy

The user who created the evidence.

verified

Whether the evidence has been verified on the server side in Artifactory using the public key.

signingKey.alias

The name of the public key used to verify the evidence.

Sample response:

{
    "data": {
        "evidence": {
            "getEvidence": {
                "downloadPath": "graph-repo/.evidence/8aba4330bb05cb8a8900f01118de6cdbcd8be6f0b43021cd80245ed13bf71ad9/f87e4c72e60300b451739d545afc0251a6e2f4bd1beaa1902ba739455897ecb8/code-review-1741006559813.json",
                "repositoryKey": "graph-repo",
                "path": "commons-1.0.0.txt",
                "subject": {
                    "repositoryKey": "graph-repo",
                    "path": "commons-1.0.0.txt",
                    "name": "code-review-1741006559813.json"
        "path": "1/a/file.txt",
        "repositoryKey": "commons-dev-generic-local",
        "downloadPath": "commons-dev-generic-local/.evidence/f9f3100eea27f7884a9f3e6883d22191cc6cfd4a5421f2617bcf6b42f9a2f7a1/69d29925ba75eca8e67e0ad99d1132b47d599c206382049bc230f2edd2d3af30/code-review-1723469267345.json",
                },
                "sha256": "1eabcddc540892a292d59303b0cc6cee32750731b2c794fb2e603b1e98e0811f",
                "predicateSlug": "code-review",
                "predicateCategory": "Custom",
                "predicateType": "https://jfrog.com/evidence/code-review/v0.1",
        "predicate": {
          "commiter": "Dennis Sheridan",
          "review-result": "PASSED",
          "reviewLink": "https://git.jfrog.com/commons/abc",
          "reviewer": "Mickey Keller",
          "timestamp": "2030-01-01T00:00:00.000Z"
        },
                "createdAt": "2025-01-01T00:00:00.000Z",
                "createdBy": "admin",
                "verified": true
        "publicKey": {
            }
        }
      }
    }
  }
}

Status Codes:

Code

Description

200

OK

401

Bad Credentials

403

Permission Denied