Get Evidence (GraphQL)

Description: Returns the requested data for a single, known evidence file as defined by the One Model GraphQL query. Use the getEvidence query when you know the exact location of the evidence file you want to retrieve. This is useful for fetching the details of a specific attestation after you have identified it.

❗️
Important
When operating in a Self-Hosted environment, you must enable the Evidence service in the system.yaml file as a prerequisite to using this endpoint. Add the following:
evidence:
  enabled: true

Security: Requires a valid token; requires Read permissions to the subject repository

Usage: POST /onemodel/api/v1/graphql

Sample query:

query {
  evidence {
    getEvidence(
      repositoryKey: "my-repo-key"
      path: "path/to/artifact/artifact-name.zip"
      name: "security-scan.json"
    ) {
      # Fields to retrieve
      predicateType
      verified
      predicate
    }
  }
}

Input Types

Input Type	Field	Required/Optional	Type	Description
EvidenceWhereInput	`hasSubjectWith`	required	`EvidenceSubjectWhereInput` !	Subject parameters to search for evidence.
EvidenceSubjectWhereInput	`repositoryKey`	required	string	The repository key where the evidence is stored.
	`path`	required	string	The full path to the evidence.
	`name`	required	string	The name of the evidence file.
	`sha256`	optional	sha256	The SHA-256 checksum of the subject (can be used for precise matching).
EvidenceSubjectToEvidenceWhereInput	`predicateCategory`	optional	string	Filters by predicate category (for example, distribution).
	`predicateType`	optional	string	Filters by predicate type.
	`verified`	optional	boolean	Filters by verification status.
	`createdBy`	optional	string	Filters by creator.
	`stageName`	optional	string	Filters by stage (dev, qa, etc.).
	`createdAfter`	optional	date	Filters by evidence created on or after a defined date.
	`createdBefore`	optional	date	Filters by evidence created on or before a defined date.
EvidenceOrderInput	field	required	`EvidenceOrderField`!	Field to order results by (e.g., `CREATED_AT` , `NAME` ).
	direction	optional	!	Direction to order by, `ASC` (ascending - default) or `DESC` (descending).

Output Types

The object types that you include in the search query determine which data is returned about the evidence file.

Evidence Type

This type represents a single evidence record.

Field	Type	Description
`id`	string	A unique identifier.
`downloadPath`	string	The full path for downloading the evidence JSON file.
`name`	string	The name of the evidence file (for example, sbom.cyclonedx.json).
`sha256`	sha256	The checksum of the evidence file.
`subject`	EvidenceSubject	Details about the evidence subject.
`predicateType`	string	The URI type associated with the predicate.
`predicateSlug`	string	A simplified version of the `predicateType` provided for better readability. For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle.
`predicate`	JSON	The contents of the claims contained in the evidence file. For more information, see Evidence Payload.
`createdAt`	date	The timestamp of when the evidence file was created.
`createdBy`	string	The user or server who created the evidence.
`verified`	boolean	Indicates whether the evidence signature has been verified using the public key.
`signingKey`	EvidenceSigningKey	The name of the public key used to verify the evidence.
`providerId`	string	The ID of the system that provided the evidence.
`stageName`	string	The stage at which the evidence was added to the subject.

EvidenceSubject Type

This type describes the artifact or build that represents the evidence subject.

Field	Type	Description
`repositoryKey`	string	The repository that contains the subject.
`fullPath`	string	The full path to the file (`repositoryKey/path/name`).
`evidenceConnection`	EvidenceConnection	Connection to evidence associated with this subject (supports filtering & ordering).

EvidenceSigningKey Type

This type represents the key used to sign the evidence.

Field	Type	Description
`alias`	string	The alias of the signing key (for example, GPG-RSA).
`publicKey`	string	The public key used to verify the evidence signature.

📘
Note
For details about fields that are common across all One Model domains, see One Model GraphQL Common Types and Conventions.

Status Codes

Code	Message	Description
200	OK	The request was successful.
401	Bad Credentials	The request failed because the authentication token is invalid or expired.
403	Permission Denied	The request failed because the authenticated user does not have the required Read permissions for the subject repository.

Get Evidence – Examples

The following examples demonstrate how to use the Get Evidence API effectively:

Example 1: Retrieve the full predicate

This query uses getEvidence to retrieve the predicate JSON so that you can inspect the contents of the specified evidence record.

Query:

query GetEvidencePredicate {
  evidence {
    getEvidence(
      repositoryKey: "generic-local"
      path: ".evidence/path/to/my-artifact.zip/security-scan-123.json"
      name: "security-scan-123.json"
    ) {
      predicateType
      predicate # <-- This contains the full JSON payload
    }
  }
}

cURL Request:

curl -X POST -H "Authorization: Bearer <YOUR_TOKEN>" -H "Content-Type: application/json" \
https://<YOUR_JFROG_URL>/onemodel/api/v1/graphql \
--data '{
    "query": "query GetEvidencePredicate { evidence { getEvidence(repositoryKey: \"generic-local\", path: \".evidence/path/to/my-artifact.zip/security-scan-123.json\", name: \"security-scan-123.json\") { predicateType predicate } } }"
}'

Sample Response:

{
    "data": {
        "evidence": {
            "getEvidence": {
                "predicateType": "https://jfrog.com/evidence/security/scan/v1",
                "predicate": {
                    "scanner": {
                        "name": "JFrog Xray",
                        "version": "4.2.0"
                    },
                    "summary": {
                        "critical": 5,
                        "high": 12,
                        "medium": 3,
                        "low": 0
                    },
                    "issues": [
                        {
                            "cve": "CVE-2023-12345",
                            "severity": "Critical",
                            "component": "log4j:log4j:1.2.17"
                        }
                    ]
                }
            }
        }
    }
}

Example 2: Get evidence and verify signing information

This example fetches a specific evidence record and its signing key details. In a real-world script, you would use the returned publicKey to programmatically verify the evidence signature, which is downloaded separately.

Query:

query GetAndVerifySignature {
  evidence {
    getEvidence(
      repositoryKey: "generic-local"
      path: ".evidence/path/to/my-artifact.zip/sbom-456.json"
      name: "sbom-456.json"
    ) {
      name
      verified # <-- Check if JFrog has already verified it
      signingKey {
        alias
        publicKey # <-- Use this key for external verification
      }
    }
  }
}