following the in-toto and DSSE (Dead Simple Signing Envelope) specification, which includes OCI SLSA build attestations. These attestations are collected as evidence for application governance. Read Less >
The integration is designed to provide native support for OCI (Open Container Initiative) standards within JFrog Artifactory. It automatically collects signed OCI attestations as evidence, creating a clear and verifiable record for every OCI container image.
It means that JFrog Artifactory can fully manage and work with OCI container images, including complete support for the latest OCI v1.1 specification. This allows Artifactory to act as a central repository for OCI images, just as it does for other package types.
OCI SLSA (Supply Chain Levels for Software Artifacts) build attestations are cryptographically signed statements that provide verifiable proof of how an OCI package was created. These attestations are automatically collected as evidence when OCI packages are pushed to Artifactory.
By ingesting and displaying the OCI attestations, the JFrog Platform creates a clear audit trail of the container image’s build process. This provides full traceability, which is crucial for streamlining compliance reporting and ensuring the integrity of your container images.
The signed OCI attestations are automatically collected into JFrog’s Evidence Collection, which holds all the verifiable proof related to your software, including the build provenance of your OCI containers, ensuring the data is permanently available for auditing and governance.