Try JFrog
Guides
Contact SupportTry JFrog
  1. Evidence
  2. Create Evidence

Add an Attachment to Evidence

You can attach a single, unstructured file — such as a PDF, penetration test report, signed contract, or architectural diagram — during the evidence creation process. This feature provides a tamper-proof, signed container for both your structured evidence and unstructured data, ensuring a complete end-to-end audit trail.

The attachment's metadata (including its name, SHA256 checksum, and file type) is embedded directly into the extended in-toto statement to ensure integrity.

You can add an attachment to your evidence using either the ​REST APIs​ or the ​JFrog CLI​​.

Add an Evidence Attachment Using the REST APIs

The procedure for adding attachments using the REST APIs involves several steps, as described below. Attachments are supported by both the Prepare Evidence and Deploy Evidence REST APIs.

📘

Note

For details about the complete workflow, see Create Evidence Using REST APIs.

Upload the Attachment to Artifactory

Upload your attachment to a location of your choice in Artifactory. For more information, see the Deploy Artifact API, or Deploy Artifacts for platform UI instructions.

Define the Attachment when Preparing Evidence

When using the Prepare Evidence REST API, add the repository and path of the uploaded attachment to the request body.

"attachments": [
    {
      "repository": "acme-prod-generic-local",
      "path": "tmp/approval-frog-certificate.png"
    }
  ]

When executed, the Prepare Evidence API adds this information about the attachment to the DSSE. The name, path, and SHA256 are included in its response.

{
  "attachments": [
    {
      "repository": "acme-prod-generic-local",
      "path": "tmp/approval-frog-certificate.png",
      "sha256": "42281cf0e1a168bc766b1c143de8db334c36a5e6110df1b0c933b35f35411623"
    }
  ]
}

Add the Attachment during Deployment

After signing the payload, add the name and path of the attachment (the SHA is optional) to the request body of the Deploy Evidence API.

Request:

{
  "payload": "eyJfdHlw....",
  "payloadType": "application/vnd.in-toto+json",
  "signatures": [
    {
      "keyid": "signing-key",
      "sig": "MEQCIG..."
    }
  ],
  "attachments": [
    {
      "repository": "acme-prod-generic-local",
      "path": "tmp/approval-frog-certificate.png",
      "sha256": "42281cf0e1a168bc766b1c143de8db334c36a5e6110df1b0c933b35f35411623"
    }
  ]
}

The attachment will be included in the evidence created in Artifactory, as indicated by the API response.

 "attachments": [
    {
      "name": "approval-frog-certificate.png",
      "sha256": "42281cf0e1a168bc766b1c143de8db334c36a5e6110df1b0c933b35f35411623",
      "type": "application/octet-stream",
      "download_path": "acme-prod-generic-local/.evidence/76ce53ecfbe0fd770edc76af31d022b5d17c7ced720be667ec83cd876ecf6708/7dbd94658f313ccfc811e28ad40408c48666dc9a19233d0a278140557d9a573f/attachments/8203f2f55d59970e4b6deed8a47f34f1b1beabbdfd43ae285b122eb197ef7c82-42281cf0e1a168bc766b1c143de8db33-approval-frog-certificate.png"
    }
  ]

Add an Evidence Attachment Using the JFrog CLI

The JFrog CLI parameters required for adding an attachment are dependent on whether the file is already located in Artifactory.

Add an Attachment Located in Artifactory

To add an attachment already located in Artifactory to your evidence, add the following parameter to the Create Evidence CLI command:

--attach-artifactory-path: The path and file name of the attachment.

For example:

jf evd create \
  --subject-repo-path "acme-prod-generic-local/payments-service/1.8.15/payments-service-1.8.15.jar" \
  --predicate "/path/to/predicate.json" \
  --predicate-type "https://slsa.dev/provenance/v1" \
  --attach-artifactory-path "acme-prod-generic-local/attachment.pdf"

Add a Local Attachment

An attachment can be located anywhere on a local drive without uploading it first to Artifactory.

To add an attachment located on a local drive to evidence, add the following parameters to the Create Evidence CLI command:

  • --attach-local: The path to the local file to attach to the evidence.
  • --attach-artifactory-temp-path: Defines the path to a repository in Artifactory to be used for the temporary uploading of attachments. After you define this property once, the value is persisted until you change it.

The CLI uploads the file to the designated temporary repository, creates the evidence, and moves the attachment to the evidence folder.

The example below shows the creation of SLSA evidence with an attachment containing a PNG image of an approval certificate:

jf evd create \
  --subject-repo-path "acme-prod-generic-local/payments-service/1.8.15/payments-service-1.8.15.jar" \
  --predicate "/path/to/predicate.json" \
  --predicate-type "https://slsa.dev/provenance/v1" \
  --attach-local "/path/to/attachment/file/approval-frog-certificate.png" \
  --attach-artifactory-temp-path "example-repo-local/tmp/"

In subsequent calls, --attach-artifactory-temp-path can be omitted for local attachments unless you decide to define a different temporary path.

For more information, see Create Evidence CLI.

Updated 19 days ago