Evidence Quickstart
To create evidence and attach it to an entity in Artifactory, such as an artifact, package, build, Release Bundle v2, or application version, you need the following:
- Valid JSON file containing one or more claims about a designated subject: For example, an artifact or a build). Each piece of evidence must have a single subject. This JSON file is known as the predicate. You can optionally include a human-readable version of the predicate in Markdown format.
- Key pair for signing the evidence and (optionally) verifying the evidence in Artifactory: The signature is crucial, as it establishes the integrity and immutability of the evidence. For more information, see Evidence Setup.
The JFrog platform uses the in-toto attestation standard for creating evidence. This standard requires the creation of a DSSE envelope that contains the signed evidence. You have the following options for creating evidence:
-
JFrog CLI: This is the most convenient method for creating valid evidence and deploying it to the JFrog platform. It can be integrated easily into an automated workflow in your CI pipelines.
- Step-by-step workflow: Create Evidence using the JFrog CLI
- CLI command reference: Evidence Service CLI
-
REST APIs: There are two REST APIs that when used together simplify the process of creating valid evidence and deploying it to the JFrog platform. This method can be used as an alternative to the JFrog CLI.
- Step-by-step workflow: Create Evidence using REST APIs
- Evidence API reference: Evidence APIs
Updated 22 days ago