Integrations / OCI (Open Container Initiative)

OCI Evidence

The Open Container Initiative (OCI) provides an open governance structure for standardized container formats and runtimes. JFrog’s Evidence Collection seamlessly collects OCI attestationsRead More >

following the in-toto and DSSE (Dead Simple Signing Envelope) specification, which includes OCI SLSA build attestations. These attestations are collected as evidence for application governance. Read Less >

Start Free Book a Demo

OCI Evidence Integration Features

Native Support for OCI Containers

JFrog Artifactory natively supports OCI standards, including full support for OCI v1.0, as well as the latest OCI v1.1 specification.

OCI SLSA Provenance as Evidence

As OCI packages are created and pushed into JFrog Artifactory, signed OCI attestations are automatically collected as evidence into JFrog’s Evidence Collection.

Full Traceability of OCI Images

By ingesting and displaying OCI attestations, the JFrog Platform provides a clear audit trail of how container images are built, streamlining traceability and compliance reporting.

Documentation
Availability
Learn More
  • Enterprise+
Related Product
  • JFrog Platform
  • JFrog AppTrust
  • JFrog Artifactory
  • JFrog Evidence Collection
Related Integration
ServiceNow
GitHub Artifact Attestations
Docker Registry
Sonar

Frequently Asked Questions

What is the main purpose of the JFrog and OCI evidence integration?

The integration is designed to provide native support for OCI (Open Container Initiative) standards within JFrog Artifactory. It automatically collects signed OCI attestations as evidence, creating a clear and verifiable record for every OCI container image.

What does "native support for OCI" mean for Artifactory?

It means that JFrog Artifactory can fully manage and work with OCI container images, including complete support for the latest OCI v1.1 specification. This allows Artifactory to act as a central repository for OCI images, just as it does for other package types.

What are OCI SLSA build attestations?

OCI SLSA (Supply Chain Levels for Software Artifacts) build attestations are cryptographically signed statements that provide verifiable proof of how an OCI package was created. These attestations are automatically collected as evidence when OCI packages are pushed to Artifactory.

How does this integration improve traceability of OCI images?

By ingesting and displaying the OCI attestations, the JFrog Platform creates a clear audit trail of the container image’s build process. This provides full traceability, which is crucial for streamlining compliance reporting and ensuring the integrity of your container images.

Where is the OCI provenance data stored?

The signed OCI attestations are automatically collected into JFrog’s Evidence Collection, which holds all the verifiable proof related to your software, including the build provenance of your OCI containers, ensuring the data is permanently available for auditing and governance.

About OCI

The Open Container Initiative (OCI) is a lightweight, open governance structure (project), formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtimes.
Learn More