Try JFrog
Guides
Contact SupportTry JFrog
  1. CLI
  2. Evidence Service CLI

Create Evidence CLI

Description: Use the create command to create evidence files, which are then deployed to Artifactory. You can create evidence for artifacts, packages, builds, and Release Bundles v2.

The Create Evidence command creates evidence files, which are then deployed to Artifactory. You can create evidence for:

  • Artifacts
  • Packages
  • Builds
  • Release Bundles v2
  • Application versions

Authentication

To create and deploy evidence, use an access token or the web login mechanism for authentication. Basic authentication (username or password) is not supported.

Syntax

Artifact evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --subject-repo-path <target-path> --subject-sha256 <digest> --attach-local <file-name> --attach-artifactory-temp-path <target-path> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Package evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --package-name <name> --package-version <version-number> --package-repo-name <repo-name> --attach-local <file-name> --attach-artifactory-temp-path <target-path> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Build evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --build-name <name> --build-number <version-number> --attach-local <file-name> --attach-artifactory-temp-path <target-path> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Release Bundle v2 evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --release-bundle <name> --release-bundle-version <version-number> --attach-local <file-name> --attach-artifactory-temp-path <target-path> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Application version evidence

jf evd create --predicate file-path --predicate-type predicate-type-uri --application-key <name> --application-version <version-number> --attach-local <file-name> --attach-artifactory-temp-path <target-path> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>
📘

Note

For sample commands, click here.

Command Parameters

Parameter

Required/Optional

Type

Description

--predicate

file-path

required

string

Defines the path to a locally-stored, arbitrary JSON file that contains the predicate (the content of the evidence).

--predicate-type

predicate-type-uri

required

string

The type of predicate defined by the JSON file. Sample predicate type URIs:

https://in-toto.io/attestation/link/v0.3
https://in-toto.io/attestation/scai/attribute-report
https://in-toto.io/attestation/runtime-trace/v0.1
https://in-toto.io/attestation/test-result/v0.1
https://in-toto.io/attestation/vulns

--key

local-private-key-path

optional

string

Path to a private key (see Tip below). Supported key types: 'rsa', 'ed25519', 'ecdsa'

Supported key formats: PEM and SSH

--key-alias

RSA-1024

optional

string

Case-sensitive name for the public key created from the private key (see Tip below). The public key is used to verify the DSSE envelope that contains the evidence.

  • If the key-alias is included, DSSE verification will fail if the same key-name is not found in Artifactory.

  • If the key-alias is not included, DSSE verification with the public key is not performed during creation.

--markdown

md-file

optional

string

Path to a file that contains evidence in Markdown format.

--project

project-name

optional

string

Name of the project associated with the evidence subject. This argument can be used with build, package, and Release Bundle evidence.

--provider-id

optional

string

Name of the provider that created the evidence.

--sigstore-bundle

optional

string

Path to a Sigstore bundle file containing a pre-signed DSSE envelope. If the evidence subject is not provided (using --subject-repo-path), Artifactory attempts to resolve the subject automatically from the DSSE envelope. Any subject resolution errors have exit code 2.

--sigstore-bundle is incompatible with --key,--key-alias,--predicate,--predicate-type, and --subject-sha256.

--integration

optional

string

Indicates an attestation created by a 3rd-party tool that can be converted by the JFrog platform into evidence.

Available values:

  • sonar: When enabled, the Evidence service automatically generates the predicate from SonarQube analysis data. Requires the SONAR_TOKENor SONARQUBE_TOKEN environment variable to fetch the data from the SonarQube server. For more information, see Sonar Evidence Integration.

--attach-local

file-name

optional

string

Name of a local file to attach to the evidence.

attach-artifactory-temp-path

file-path

optional

string

Defines the path to a locally-stored file that will be attached to the evidence. This value is persisted until it is next changed.

Environment Variables

You can use the following environment variables as an alternative to using command parameters.

Environment Variable

Command Parameter

Notes

JFROG_CLI_SIGNING_KEY

--key

If the environment variable is not defined, the --key command is mandatory.

JFROG_CLI_KEY_ALIAS

--key-alias

EVIDENCE_ATTACHMENT_ARTIFACTORY_TEMP_PATH

--attach-artifactory-temp-path

A third option is to add the following configuration to the Evidence YAML file:

attachment: artifactoryTempPath: <repo/path-in-artifactory>

📘

Note

In the unlikely event the public key is deleted from Artifactory, it may take up to 4 hours for the Evidence service to clear the key from the cache. Evidence can still be signed with the deleted key during this time.

Artifact Command Parameters

Parameter

Required/Optional

Description

--subject-repo-path

required for artifact evidence

The target path of the artifact. Each evidence file must contain a single subject and include the path.

Artifacts located in local repositories aggregated inside virtual repositories are supported (evidence is added to the local path).

--subject-sha256

optional

Optional digest (sha256) of the artifact.

  • If a digest is provided, it is verified against the subject's sha256 as it appears in Artifactory.

  • If a digest is not provided, the sha256 is taken from the path in Artifactory.

Package Command Parameters

ParameterRequired/OptionalDescription
--package-namerequired for package evidenceThe package name.
--package-versionrequired for package evidenceThe package version.
--package-repo-namerequired for package evidenceThe package repository name.

Build Command Parameters

ParameterRequired/OptionalDescription
--build-namerequired (unless environment variables are used – see tip below)The build name.
--build-numberrequired (unless environment variables are used – see tip below)The build number.

Tip

You can use the FROG_CLI_BUILD_NAME and FROG_CLI_BUILD_NUMBER environment variables as an alternative to the build command parameters.

Release Bundle v2 Parameters

ParameterRequired/OptionalDescription
--release-bundlerequired for Release Bundle evidenceRelease Bundle name.
--release-bundle-versionrequired for Release Bundle evidenceRelease Bundle version.

Application Version Parameters

ParameterRequired/OptionalDescription
--application-keyrequired for application version evidenceApplication key.
--application-versionrequired for application version evidenceApplication version.
📘

Note

When DSSE verification is successful, the following message is displayed:

Evidence successfully created and verified.

When DSSE verification is unsuccessful, the following message is displayed:

Evidence successfully created but not verified due to missing/invalid public key.

Updated 18 days ago