Search Evidence (GraphQL)

JFrog REST APIs
Content Type
REST API

Description: Returns the requested data from all evidence records associated with the specified subject, as defined by the One Model GraphQL query.

Important

When operating in a Self-Hosted environment, you must enable the Evidence service in the system.yamlArtifactory System YAML file as a prerequisite to using this endpoint. Add the following:

evidence:
  enabled: true

Tip

Use the Get Evidence API to return the details of a specific evidence file returned by this API.

Since: 7.104.2

Security: Requires a valid token; requires Read permissions to the subject repository

Usage: POST /onemodel/api/v1/graphql

Sample query:

query {
  evidence {
    searchEvidence(
      where: {
        hasSubjectWith: {
          repositoryKey: "my-repo-key"
          path: "images"
          name: "my-artifact.jar"
        }
      }
    ) {
      totalCount
      edges {
        node {
          name
          predicateType
        }
      }
    }
  }
}

Input Types

Input Type

Field

Required/Optional

Type

Description

EvidenceWhereInput

hasSubjectWith

required

EvidenceSubjectWhereInput!

Subject parameters to search for evidence.

EvidenceSubjectWhereInput

repositoryKey

required

string

The repository key where the evidence is stored.

path

required

string

The full path to the evidence.

name

required

string

The name of the evidence file.

sha256

optional

Sha256

The SHA-256 checksum of the subject (can be used for precise matching).

EvidenceSubjectToEvidenceWhereInput

predicateCategory

optional

string

Filters by predicate category (for example, distribution).

predicateType

optional

string

Filters by predicate type.

verified

optional

boolean

Filters by verification status.

createdBy

optional

string

Filters by creator (e.g. user@example.com).

stageName

optional

string

Filters by stage (dev, qa, etc.).

createdAfter

optional

date

Filters by evidence created on or after a defined date.

createdBefore

optional

date

Filters by evidence created on or before a defined date.

EvidenceOrderInput

field

required

EvidenceOrderField!

Field to order results by (e.g., CREATED_AT, NAME).

direction

optional

!

Direction to order by, ASC (ascending) or DESC (descending).

The default is ASC.

Output Types

The output types that you include in the search query determine the output you receive from the search results.

Evidence Type

This type represents a single evidence record.

Field

Type

Description

id

string

A unique identifier.

downloadPath

string

The full path for downloading the evidence JSON file.

name

string

The name of the evidence file (for example, sbom.cyclonedx.json).

sha256

sha256

The checksum of the evidence file.

subject

EvidenceSubject

Details about the evidence subject.

predicateType

string

The URI type associated with the predicate.

predicateSlug

string

A simplified version of the predicateType provided for better readability.

For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle.

predicate

JSON

The contents of the claims contained in the evidence file. For more information, see Evidence Payload.Evidence Payload

createdAt

date

The timestamp of when the evidence file was created.

createdBy

string

The user or server who created the evidence.

verified

boolean

Indicates whether the evidence signature has been verified using the public key.

signingKey

EvidenceSigningKey

The name of the public key used to verify the evidence.

providerId

string

The ID of the system that provided the evidence.

stageName

string

The stage at which the evidence was added to the subject.Stages & Lifecycle

EvidenceSubject Type

This type describes the artifact or build that represents the evidence subject.

Field

Type

Description

repositoryKey

string

The repository that contains the subject.

fullPath

string

The full path to the file (<repositoryKey>/<path>/<name>).

evidenceConnection

EvidenceConnection

Connection to evidence associated with this subject (supports filtering & ordering).

EvidenceSigningKey Type

This type represents the key used to sign the evidence.

Field

Type

Description

alias

string

The alias of the signing key (for example, GPG-RSA).

publicKey

string

The public key used to verify the evidence signature.

Tip

We recommend limiting the response data to those fields that are actually of interest. It is also recommended to avoid including fields such as predicate, which are relatively data-heavy. After returning the list of evidence files associated with the subject, you can use the Get Evidence API to return the predicate (that is, the contents) of the specific evidence file you are interested in.

Note

For details about fields that are common across all One Model domains, see One Model GraphQL Common Patterns and Conventions.

Status Codes:

Code

Message

Description

200

OK

The request was successful.

401

Bad Credentials

The request failed because the authentication token is invalid or expired.

403

Permission Denied

The request failed because the authenticated user does not have the required Read permissions for the subject repository.