Evidence Service CLI

With Artifactory, you can attach evidence (signed metadata) to a designated subject, such as an artifact, build, package, or Release Bundle v2. These evidence files act as attestations, providing a signed and verified record of an external process performed on the subject, for example, test results, vulnerability scans, and official approvals.

JFrog's Evidence service generates an audit trail that documents all the security, quality, and operational steps performed to produce a production-ready software release. It provides a seamless way to consolidate information from the tools and platforms used in software development into a single source of truth that you can track and verify for governance and compliance.

The JFrog CLI enables you to:

• Generate a key pair for signing evidence
• Create evidence
• Get evidence
• Verify evidence

📘

Note

• The Evidence service requires Artifactory 7.104.2 or above.
• The ability for users to attach external evidence to Artifactory, as described here, requires an Enterprise+ subscription.
• The ability to collect internal evidence generated by Artifactory requires a Pro subscription or above. Internal evidence generated by Xray requires a Pro X subscription or above.
• In the current release, an evidence file can be signed with one key only.
• The maximum size evidence file supported by Artifactory is 16MB.

See Evidence Examples for a collection of code snippets that describe how to create evidence workflows in various tools using the JFrog CLI.