Create Evidence CLI

Description: Use the create command to create external evidence files, which are then deployed to Artifactory. You can create evidence for artifacts, packages, builds, and Release Bundles v2.

The Create Evidence command creates external evidence files, which are then deployed to Artifactory. You can create evidence for:

Artifacts
Packages
Builds
Release Bundles v2
Application versions

Authentication

To create and deploy external evidence, use an access token or the web login mechanism for authentication. Basic authentication (username or password) is not supported.

Syntax

Artifact evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --subject-repo-path <target-path> --subject-sha256 <digest> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Package evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --package-name <name> --package-version <version-number> --package-repo-name <repo-name> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Build evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --build-name <name> --build-number <version-number> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Release Bundle v2 evidence:

jf evd create --predicate file-path --predicate-type predicate-type-uri --release-bundle <name> --release-bundle-version <version-number> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

Application version evidence

jf evd create --predicate file-path --predicate-type predicate-type-uri --application-key <name> --application-version <version-number> --key <local-private-key-path> --key-alias <public-key-name> --provider-id <provider-id>

📘
Note
For sample commands, click here.

Command Parameters

Parameter	Required/Optional	Type	Description
`--predicate` file-path	required	string	Defines the path to a locally-stored, arbitrary JSON file that contains the predicate (the content of the evidence).
`--predicate-type` predicate-type-uri	required	string	The type of predicate defined by the JSON file. Sample predicate type URIs: `https://in-toto.io/attestation/link/v0.3 https://in-toto.io/attestation/scai/attribute-report https://in-toto.io/attestation/runtime-trace/v0.1 https://in-toto.io/attestation/test-result/v0.1 https://in-toto.io/attestation/vulns`
`--key` local-private-key-path	optional	string	Path to a private key (see Tip below). Supported key types: 'rsa', 'ed25519', 'ecdsa' Supported key formats: PEM and SSH
`--key-alias` RSA-1024	optional	string	Case-sensitive name for the public key created from the private key (see Tip below). The public key is used to verify the DSSE envelope that contains the evidence. If the `key-alias` is included, DSSE verification will fail if the same `key-name` is not found in Artifactory. If the `key-alias` is not included, DSSE verification with the public key is not performed during creation.
`--markdown` md-file	optional	string	Path to a file that contains evidence in Markdown format.
`--project` project-name	optional	string	Name of the project associated with the evidence subject. This argument can be used with build, package, and Release Bundle evidence.
`--provider-id`	optional	string	Name of the provider that created the evidence.
`--sigstore-bundle`	optional	string	Path to a Sigstore bundle file containing a pre-signed DSSE envelope. If the evidence subject is not provided (using `--subject-repo-path`), Artifactory attempts to resolve the subject automatically from the DSSE envelope. Any subject resolution errors have exit code 2. `--sigstore-bundle` is incompatible with `--key`,`--key-alias`,`--predicate`,`--predicate-type`, and `--subject-sha256`.
`--integration`	optional	string	Indicates an attestation created by a 3rd-party tool that can be converted by the JFrog platform into evidence. Available values: `sonar`: When enabled, the Evidence service automatically generates the predicate from SonarQube analysis data. Requires the `SONAR_TOKEN`or `SONARQUBE_TOKEN` environment variable to fetch the data from the SonarQube server. For more information, see #sonar-evidence-integration.

✅
Tip

You can define the key using the JFROG_CLI_SIGNING_KEY environment variable as an alternative to using the --key command parameter. If the environment variable is not defined, the --key command is mandatory.

You can define a key alias using the JFROG_CLI_KEY_ALIAS environment variable as an alternative to using the --key-alias command parameter.

📘
Note
In the unlikely event the public key is deleted from Artifactory, it may take up to 4 hours for the Evidence service to clear the key from the cache. Evidence can still be signed with the deleted key during this time.

Artifact Command Parameters

Parameter	Required/Optional	Description
`--subject-repo-path`	required for artifact evidence	The target path of the artifact. Each evidence file must contain a single subject and include the path. Artifacts located in local repositories aggregated inside virtual repositories are supported (evidence is added to the local path).
`--subject-sha256`	optional	Optional digest (sha256) of the artifact. If a digest is provided, it is verified against the subject's sha256 as it appears in Artifactory. If a digest is not provided, the sha256 is taken from the path in Artifactory.

Parameter

Required/Optional

Description

--subject-repo-path

required for artifact evidence

The target path of the artifact. Each evidence file must contain a single subject and include the path.

Artifacts located in local repositories aggregated inside virtual repositories are supported (evidence is added to the local path).

--subject-sha256

optional

Optional digest (sha256) of the artifact.

If a digest is provided, it is verified against the subject's sha256 as it appears in Artifactory.
If a digest is not provided, the sha256 is taken from the path in Artifactory.

Package Command Parameters

Parameter	Required/Optional	Description
`--package-name`	required for package evidence	The package name.
`--package-version`	required for package evidence	The package version.
`--package-repo-name`	required for package evidence	The package repository name.

Build Command Parameters

Parameter	Required/Optional	Description
`--build-name`	required (unless environment variables are used – see tip below)	The build name.
`--build-number`	required (unless environment variables are used – see tip below)	The build number.

✅
Tip
You can use the FROG_CLI_BUILD_NAME and FROG_CLI_BUILD_NUMBER environment variables as an alternative to the build command parameters.

Release Bundle v2 Parameters

Parameter	Required/Optional	Description
`--release-bundle`	required for Release Bundle evidence	Release Bundle name.
`--release-bundle-version`	required for Release Bundle evidence	Release Bundle version.

Application Version Parameters

Parameter	Required/Optional	Description
`--application-key`	required for application version evidence	Application key.
`--application-version`	required for application version evidence	Application version.

📘
Note
When DSSE verification is successful, the following message is displayed:
Evidence successfully created and verified.
When DSSE verification is unsuccessful, the following message is displayed:
Evidence successfully created but not verified due to missing/invalid public key.