Search Evidence

JFrog REST APIs

Content Type
REST API
ft:sourceType
Paligo

Description: Returns the requested data about evidence files associated with the subject defined by the criteria in the One Model GraphQL query. Use the query to define which subjects should return evidence and what evidence data is included about each one.

Tip

Use the Get Evidence API to return the details of a specific evidence file returned by this API.

Since: 7.104.2

Security: Requires a valid token; requires Read permissions to the subject repository

Usage: POST /onemodel/api/v1/graphql

Sample Usage:

curl --location -X POST -H "Content-Type: application/json" -H "Authorization: Bearer *******" https://johnf.company.io/onemodel/api/v1/graphql -d '{"query":""}'

Sample query in GraphQL format (for readability):

{
  evidence {
    searchEvidence(
      where: {
        hasSubjectWith: {
          repositoryKey: "graph-repo"
        }
      }
    ) {
      totalCount
      pageInfo {
        hasNextPage
        hasPreviousPage
        startCursor
        endCursor
      }
      edges {
        cursor
        node {
          name
          path
          repositoryKey
          downloadPath
          sha256
          predicateSlug
          path # Note: 'path' appears a second time here
          name # Note: 'name' appears a second time here
          subject {
            repositoryKey
            path
            name
          }
          predicateType
          predicate
          createdAt
          createdBy
          verified
          signingKey {
            # You can specify sub-fields for signingKey here if needed
          }
        }
      }
    }
  }
}

Sample query after conversion to JSON (for purposes of execution):

{
  "query": "{ evidence { searchEvidence( where: {hasSubjectWith: {repositoryKey: \"commons-dev-generic-local\", path: \"1/a\", name: \"file.txt\", sha256:\"69d29925ba75eca8e67e0ad99d1132b47d599c206382049bc230f2edd2d3af30\"}} ) { totalCount pageInfo { hasNextPage hasPreviousPage startCursor endCursor } edges { cursor node { name path repositoryKey downloadPath sha256 predicateSlug predicateCategory predicateType predicate createdAt createdBy verified publicKey { alias } } } } }}"
}{
  "query": "{ evidence { searchEvidence( where: { hasSubjectWith: { repositoryKey: \"graph-repo\" } } ) { totalCount edges { node { downloadPath path name subject { repositoryKey path name } predicateType predicate createdBy } } } }}"
}

Tip

Use a GraphQL to JSON body converter (available online) to create the proper payload for the REST API POST request. Alternatively, the GraphQL query can be used in tools such as GraphiQL.

The search query uses the following filter criteria to determine which evidence subjects are included in the response:

Field

Subfield

Mandatory/Optional

Description

hasSubjectWith

Defines the filter criteria related to the evidence subject.

repositoryKey

optional

The repository key related to the evidence file.

Note

If the repositoryKey is not defined, the default release-bundles-v2 repository is used.

path

optional

The directory path.

name

optional

The subject filename.

sha256

optional

The checksum of the subject.

The search query can include one or more of the following fields, which determine the data to return from each evidence file associated with the defined subject:

Field

Subfield

Description

node

Defines which data to return from each evidence file associated with the defined subject.

downloadPath

The full repository path of the evidence file, which can be used for downloading the file.

subject

Details about the evidence subject:

  • path: The directory path of the evidence subject + the filename of the subject.

  • name: The name of the evidence file.

  • repositoryKey: The name of the repository that contains the evidence file.

sha256

The checksum of the evidence file.

predicateSlug

A simplified version of the predicateType (after removing the http:// or https:// schema, the query string, the trailing version, and the jfrog.com domain) provided for better readability.

For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle.

predicateCategory

The category in which the evidence file is classified. Categories include:

  • Audit (for example, approvals)

  • Quality (for example, test results)

  • Security (for example, evidence related to SAST and code scans)

  • Workflow (for example, internal evidence relating to the promotion and distribution of Release Bundles)

  • Custom (other types of external evidence attached by the user)

predicateType

The URL type associated with the predicate. For more information, see Evidence Payload.Evidence Payload

predicate

The contents of the claims made in the evidence file.

createdAt

The timestamp of when the evidence file was created.

createdBy

The user who created the evidence.

verified

Whether the evidence has been verified on the server side in Artifactory using the public key.

signingKey.alias

The name of the public key used to verify the evidence.

Note

As a general rule, it is recommended to limit the response data to those fields that are actually of interest. It is also recommended to avoid including fields such as predicate, which are relatively data-heavy. After returning the list of evidence files associated with the subject, you can use the Get Evidence API to return the predicate (that is, the contents) of the specific evidence file you are interested in.

Note

For details about fields that are common across all One Model domains, see One Model GraphQL Common Patterns and Conventions.

Sample response:

{
    "data": {
        "evidence": {
            "searchEvidence": {
                "totalCount": 1,
        "pageInfo": {
          "hasNextPage": false,
          "hasPreviousPage": false,
          "startCursor": "ZXZpZGVuY2U6MQ==",
          "endCursor": "ZXZpZGVuY2U6OA=="
        },
                "edges": [
          {
            "cursor": "ZXZpZGVuY2U6MQ==",
                    {
                        "node": {
                            "downloadPath": "graph-repo/.evidence/8aba4330bb05cb8a8900f01118de6cdbcd8be6f0b43021cd80245ed13bf71ad9/f87e4c72e60300b451739d545afc0251a6e2f4bd1beaa1902ba739455897ecb8/code-review-1741006559813.json",
                            "path": "commons-1.0.0.txt",
                            "name": "code-review-1741006559813.json",
              "path": "1/a/file.txt",
              "repositoryKey": "commons-dev-generic-local",
              "downloadPath": "commons-dev-generic-local/.evidence/f9f3100eea27f7884a9f3e6883d22191cc6cfd4a5421f2617bcf6b42f9a2f7a1/69d29925ba75eca8e67e0ad99d1132b47d599c206382049bc230f2edd2d3af30/code-review-1723466456662.json",
              "sha256": "8b252e932373e05f82e5e1771505cae1e485736c2a48530c0ddc9fb3ae0a7767",
              "predicateSlug": "code-review",
                            "subject": {
                                "repositoryKey": "graph-repo",
                                "path": "commons-1.0.0.txt",
                                "name": "code-review-1741006559813.json"
                            },
                            "predicateType": "https://jfrog.com/evidence/code-review/v0.1",
                            "predicate": {
                                "commiter": "Admin",
                                "review-result": "PASSED",
                                "reviewLink": "https://git.jfrog.com/commons/abc",
                                "reviewer": "Superadmin",
                                "timestamp": "2030-01-01T00:00:00.000Z"
                            },
                            "createdBy": "admin"
                        }
                    }
                ]
              "createdAt": "2025-01-01T00:00:00.000Z",
              "createdBy": "admin",
              "verified": false
              "publicKey": {
                "alias": "RSA-4096"
              }
            }
          },
          {
            "cursor": "ZXZpZGVuY2U6NQ==",
            "node": {
              "name": "code-review-1723477086000.json",
              "path": "1/a/file.txt",
              "repositoryKey": "commons-dev-generic-local",
              "downloadPath": "commons-dev-generic-local/.evidence/f9f3100eea27f7884a9f3e6883d22191cc6cfd4a5421f2617bcf6b42f9a2f7a1/69d29925ba75eca8e67e0ad99d1132b47d599c206382049bc230f2edd2d3af30/code-review-1723477086000.json",
              "sha256": "e4dea090445947bf1b1657ad3f1e06948d5d9951d6ec22ded8efc056c26c4a21",
              "predicateSlug": "code-review",
              "predicateCategory": "Custom",
              "predicateType": "https://jfrog.com/evidence/code-review/v0.1",
              "predicate": {
                "commiter": "Dennis Sheridan",
                "review-result": "PASSED",
                "reviewLink": "https://git.jfrog.com/commons/abc",
                "reviewer": "Itay Keller",
                "timestamp": "2030-01-01T00:00:00.000Z"
              },
              "createdAt": "2025-01-01T00:00:00.000Z",
              "createdBy": "super-long-token-name-that-breaks-creating-and-promoting-rele...",
              "verified": false
              "publicKey": {
                "alias": "RSA-4096"
              }
            }
          },
          {
            "cursor": "ZXZpZGVuY2U6OA==",
            "node": {
              "name": "code-review-1723482847592.json",
              "path": "1/a/file.txt",
              "repositoryKey": "commons-dev-generic-local",
              "downloadPath": "commons-dev-generic-local/.evidence/f9f3100eea27f7884a9f3e6883d22191cc6cfd4a5421f2617bcf6b42f9a2f7a1/69d29925ba75eca8e67e0ad99d1132b47d599c206382049bc230f2edd2d3af30/code-review-1723482847592.json",
              "sha256": "e4dea090445947bf1b1657ad3f1e06948d5d9951d6ec22ded8efc056c26c4a21",
              "predicateSlug": "code-review",
              "predicateCategory": "Custom",
              "predicateType": "https://jfrog.com/evidence/code-review/v0.1",
              "predicate": {
                "commiter": "Dennis Sheridan",
                "review-result": "PASSED",
                "reviewLink": "https://git.jfrog.com/commons/abc",
                "reviewer": "Mickey Keller",
                "timestamp": "2030-01-01T00:00:00.000Z"
              },
              "createdAt": "2025-01-01T00:00:00.000Z",
              "createdBy": "super-long-token-name-that-breaks-creating-and-promoting-rele...",
              "verified": false
              "publicKey": {
                "alias": "RSA-4096"
              }
            }
          }
        }
      }
    }
  }
}

Status Codes:

Code

Description

200

OK

401

Bad Credentials

403

Permission Denied