Evidence OneModel GraphQL
The JFrog Evidence service provides a comprehensive GraphQL API for querying evidence and Release Bundle information. This API follows the OneModel GraphQL conventions and supports pagination, filtering, and federated queries.
Key features include:
- Evidence management: Query and search evidence associated with artifacts
- Release Bundle queries: Access Release Bundle versions, artifacts, and their relationships
Prerequisites
- Requires Artifactory 7.104.2 or later
- Subscription information:
- The ability to collect internal evidence generated by Artifactory requires a Pro license or above. Internal evidence generated by Xray requires a Pro X license or above.
- The ability for users to create evidence and upload it to Artifactory requires an Enterprise+ license.
- Define the scoped token audience as
*@*. This definition is required to run cross-service queries.
Subgraph Summary
This subgraph exposes two primary query domains: Evidence and Release Bundle Version. It is designed around Relay-style connections for pagination and supports filtering, ordering, and federated usage with other services.
Queue Entry Points
Query.evidence -> EvidenceQueries: root for direct evidence retrieval and evidence searchQuery.releaseBundleVersion -> ReleaseBundleVersionQueries: root for querying Release Bundle v2 versions and traversing their artifacts/builds/evidence
Main Entities
Evidence Domain
Evidence: core record describing attestations/evidence attached to an artifact subject; includes metadata (predicateType, createdBy, verified, providerId, stageName) and links to other entities.EvidenceSubject: logical artifact identity (repositoryKey, fullPath) that evidence is attached to.EvidenceSigningKey: key metadata used to verify signatures for an evidence record (alias, publicKey).EvidenceConnection/Edge: paginated wrapper used when returning lists of evidence.
Release Bundle Domain
ReleaseBundleVersion: top-level Release Bundle v2 version aggregate.ReleaseBundleVersionArtifact: artifact entry inside a release bundle (path/name/hash/package metadata), with its own evidence.ReleaseBundleVersionBuild: build entry used to create the release bundle, with its own evidence.ReleaseBundleVersionBuild: build entry used to create the release bundle, with its own evidence.
Shared Conventions
PageInfoandCursor: standard Relay cursor pagination primitives.- Common scalars used across entities include
Date,Sha256, andJSON.
Entity Relationships
-
Evidence -> EvidenceSubject(many-to-one): each evidence record references a subject artifact identity. -
Evidence -> EvidenceSigningKey(optional one-to-one): an evidence record may include the signing key used for verification. -
EvidenceSubject -> EvidenceConnection(one-to-many): a subject can have multiple evidence records. -
ReleaseBundleVersion -> ReleaseBundleVersionArtifactConnection(one-to-many): a bundle version contains many artifacts. -
ReleaseBundleVersion -> EvidenceConnection(one-to-many): a bundle version can have evidence attached directly at bundle scope. -
ReleaseBundleVersion -> ReleaseBundleVersionBuild(one-to-many): a bundle version is derived from one or more builds. -
ReleaseBundleVersionArtifact -> EvidenceConnection(one-to-many): each artifact can expose associated evidence. -
ReleaseBundleVersionBuild -> EvidenceConnection(one-to-many): each build can expose associated evidence.These relationships are described in the diagram below.
Traversal Patterns
The patterns that follow describe how data is typically queried within this subgraph.
- Evidence-centric: filter by EvidenceSubjectWhereInput (repo/path/name/hash) and page through searchEvidence.
- Bundle-centric: fetch a release bundle version, then traverse:
artifactsConnectionfor artifacts- artifact-level
evidenceConnection - bundle-level
evidenceConnection - build-level
evidenceConnection
- Connections consistently return
totalCount,edges.node, andpageInfo, enabling uniform pagination behavior across entity lists.
Notes
Evidence.repositoryKeyis deprecated in favor ofEvidence.subject.repositoryKey.- Some fields are marked experimental (for example,
Evidence.subject) and may change.
Common Use Cases
Find All Evidence for an Artifact
This query finds all attestations (cryptographically signed metadata records) for a given artifact.
query FindAllEvidenceForArtifact {
evidence {
searchEvidence(
first: 20
where: {
hasSubjectWith: {
repositoryKey: "docker-local"
path: "my-app/latest"
name: "manifest.json"
}
}
) {
totalCount
edges {
node {
name
predicateType
verified
createdBy
}
}
}
}
}Search Evidence by Subject
The query shown below searches for evidence associated with a specific artifact as defined by its repository key, path, and name.
query SearchEvidenceBySubject {
evidence {
searchEvidence(
where: {
hasSubjectWith: {
repositoryKey: "my-docker-repo"
path: "images"
name: "my-app"
}
}
first: 20
) {
totalCount
pageInfo { hasNextPage, endCursor }
edges {
node {
id
name
predicateType
createdAt
verified
predicate
}
}
}
}
}Get Release Bundle with Artifacts and Evidence
Use this query to retrieve a specific Release Bundle v2 version, its associated artifacts (filtered for those with evidence), and the evidence for both the bundle and its artifacts.
query GetReleaseBundleWithDetails {
releaseBundleVersion {
getVersion(
name: "my-release-bundle"
version: "1.0.0"
) {
createdBy
createdAt
# Get artifacts in the release bundle
artifactsConnection(
where: { hasEvidence: true }
first: 50
) {
edges {
node {
name
sha256
sourceRepositoryPath
# Get evidence for each artifact
evidenceConnection(first: 10) {
totalCount
edges {
node {
id
predicateType
verified
}
}
}
}
}
}
# Get evidence for the release bundle itself
evidenceConnection(first: 10) {
edges {
node {
id
predicateType
verified
}
}
}
}
}
}Application Version Query
The following example fetches an application version from the AppTrust service and retrieves its associated evidence.
query GetApplicationVersionWithEvidence {
applications {
getApplicationVersion(
applicationKey: "my-app"
version: "1.0.0"
) {
application {
key
displayName
}
version
tag
createdAt
createdBy
status
releaseStatus
# Evidence fields resolved by Evidence service via federation
evidence(first: 10, verified: true) {
id
name
predicateType
predicateCategory
verified
createdAt
createdBy
subject {
fullPath
repositoryKey
path
name
}
}
}
}
}Response:
{
"data": {
"applications": {
"getApplicationVersion": {
"application": {
"key": "my-app",
"displayName": "My Application"
},
"version": "1.0.0",
"tag": "release-v1.0.0",
"createdAt": "2024-11-20T10:00:00Z",
"createdBy": "ci-system",
"status": "COMPLETED",
"releaseStatus": "RELEASED",
"evidence": [
{
"id": "evidence-123",
"name": "build-attestation",
"predicateType": "https://slsa.dev/provenance/v1",
"predicateCategory": "BUILD",
"verified": true,
"createdAt": "2024-11-20T10:15:00Z",
"createdBy": "ci-system",
"subject": {
"fullPath": "npm-local/artifacts/my-app/1.0.0",
"repositoryKey": "npm-local",
"path": "artifacts/my-app",
"name": "1.0.0"
}
}
]
}
}
}
}Updated about 8 hours ago