Description: Returns the requested data from all evidence records associated with the specified subject, as defined by the One Model GraphQL query.
Important
When operating in a Self-Hosted environment, you must enable the Evidence service in the system.yaml file as a prerequisite to using this endpoint. Add the following:
evidence: enabled: true
Tip
Use the Get Evidence API to return the details of a specific evidence file returned by this API.
Since: 7.104.2
Security: Requires a valid token; requires Read permissions to the subject repository
Usage: POST /onemodel/api/v1/graphql
Sample query:
query {
evidence {
searchEvidence(
where: {
hasSubjectWith: {
repositoryKey: "my-repo-key"
path: "images"
name: "my-artifact.jar"
}
}
) {
totalCount
edges {
node {
name
predicateType
}
}
}
}
}
Argument | Required/Optional | Type | Description |
|---|---|---|---|
| required | string | The repository key where the evidence is stored. |
| required | string | The full path to the evidence file. |
| required | string | The name of the evidence file. |
| optional | Sha256 | The SHA-256 checksum of the subject (can be used for precise matching). |
Detailed Object Types
The object types that you include in the search query determine which data is returned about the evidence file.
Evidence Type
This type represents a single evidence record.
Field | Type | Description |
|---|---|---|
| string | The full path for downloading the evidence JSON file. |
| string | The name of the evidence file (for example, sbom.cyclonedx.json). |
| sha256 | The checksum of the evidence file. |
| Details about the evidence subject. | |
| string | The URI type associated with the predicate. |
| string | A simplified version of the For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle. |
| JSON | The contents of the claims contained in the evidence file. For more information, see Evidence Payload. |
| date | The timestamp of when the evidence file was created. |
| string | The user or server who created the evidence. |
| boolean | Indicates whether the evidence signature has been verified using the public key. |
| The name of the public key used to verify the evidence. | |
| string | The ID of the system that provided the evidence. |
EvidenceSubject Type
This type describes the artifact or build that represents the evidence subject.
Field | Type | Description |
|---|---|---|
| string | The repository that contains the subject. |
| string | The full path to the file (<repositoryKey>/<path>/<name>). |
| string | The filename of the subject. |
| sha256 | The checksum of the subject. |
EvidenceSigningKey Type
This type represents the key used to sign the evidence.
Field | Type | Description |
|---|---|---|
| string | The alias of the signing key (for example, GPG-RSA). |
| string | The public key used to verify the evidence signature. |
Note
As a general rule, it is recommended to limit the response data to those fields that are actually of interest. It is also recommended to avoid including fields such as predicate, which are relatively data-heavy. After returning the list of evidence files associated with the subject, you can use the Get Evidence API to return the predicate (that is, the contents) of the specific evidence file you are interested in.
Note
For details about fields that are common across all One Model domains, see One Model GraphQL Common Patterns and Conventions.
Status Codes:
Code | Message | Description |
|---|---|---|
200 | OK | The request was successful. |
401 | Bad Credentials | The request failed because the authentication token is invalid or expired. |
403 | Permission Denied | The request failed because the authenticated user does not have the required Read permissions for the subject repository. |