Collection, the integration automatically attaches signed evidence of vulnerability scans and fixes to your build artifacts. This ensures each artifact in JFrog Artifactory includes trustworthy metadata on applied and available Resolved Security remediations - enabling vulnerability remediation at scale, auditable traceability, compliance reporting, and policy-based control within CI/CD pipelines.Read Less >
The integration connects the Resolved Security application with the JFrog Evidence Collection to automatically create and attach signed evidence of vulnerability remediations to artifacts in JFrog Artifactory. It provides verifiable proof of which vulnerabilities were fixed or are fixable by Resolved Security, ensuring full traceability and integrity across the software supply chain.
For organizations, the integration strengthens security governance and compliance by embedding verifiable remediation data directly into the artifact lifecycle. It enables continuous audit readiness, reduces risk exposure, and provides objective proof of secure software handling across builds and releases.
Security teams gain verifiable records of remediation activities, simplifying compliance reporting and audit readiness.
DevOps teams maintain a lightweight, automated workflow for attaching security evidence during CI/CD without disrupting builds or artifact promotion.
Compliance and risk teams can easily verify that every artifact meets organizational security and policy requirements before deployment.
By embedding signed, immutable remediation metadata directly into JFrog artifacts, the integration provides audit-ready evidence of vulnerability management practices. This supports compliance with frameworks like SOC 2, ISO 27001, and NIST 800-53, helping demonstrate continuous vulnerability remediation, secure artifact handling, and traceable software provenance.
During CI/CD builds, Resolved Security scans for and fixes open-source vulnerabilities, and uses the JFrog CLI to attach an evidence record to each built artifact. The evidence includes vulnerability data, timestamps, and cryptographic signatures generated using your organization’s JFrog Evidence key.
resolved-cli v0.2.56 or higher
jfrog CLI v2.66.0 or higher
JFrog Artifactory with the Evidences service enabled
Configured JFrog connection (jf config)
The following environment variables set in the build environment:
RESOLVED_JFROG_ARTIFACT_PATH
RESOLVED_JFROG_KEY
RESOLVED_JFROG_KEY_ALIAS
Run the following command immediately after building your artifact:
# resolved-cli –scan –sync jfrog
This command scans for vulnerabilities, generates signed remediation evidence, and attaches it to the specified artifact in JFrog Artifactory.
Each evidence record contains:
Fixed and fixable vulnerabilities (CVE ID, severity, CVSS score)
Affected package names and resolved versions
resolved-cli version, timestamp, and scan metadata
All evidence is structured as a signed JSON predicate (resolvedsecurity-fixed-packages).
Evidence is signed using your organization’s registered JFrog Evidence private key, referenced via RESOLVED_JFROG_KEY and RESOLVED_JFROG_KEY_ALIAS. Verification occurs within JFrog to ensure authenticity and integrity.
Yes. With JFrog Evidence’s policy-based controls, artifacts that lack valid evidence or include unresolved vulnerabilities can be automatically blocked from promotion or release.
No. Evidence is attached externally using the JFrog Evidence API—it does not alter artifact binaries or source content.
