Try JFrog
Guides
Contact SupportTry JFrog
  1. Integrations
  2. JFrog Integration with GitHub

GitHub Actions: GitHub attestation to JFrog evidence

Value

Automatically captures and stores build attestations from GitHub Actions in the JFrog Platform, supporting DevSecOps governance, compliance, and auditability.

Provides a verifiable record of how artifacts were built, improving trust and traceability across the software supply chain.

Key Benefits

  • Unified Audit Trail: If you move your image from a "dev" repo to a "prod" repo within JFrog, the Evidence (the proof of how it was built) follows the artifact automatically.
  • Gatekeeping: You can set up JFrog AppTrust Policies that prevent an image from being deployed if it doesn't have a valid GitHub Attestation attached to it.
  • Compliance: It simplifies SOC2 or ISO audits because you can show a single report in JFrog that proves every binary in production originated from a specific, authorized GitHub workflow.

How It Works

  1. After you push your Docker image or artifact, call the attestation action
name: Generate Attestation
uses: actions/attest-build-provenance@v1
  with:
subject-name: oci://yourorg.jfrog.io/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}

Once the workflow finishes, you can see the result in two places:

  1. GitHub Job Summary: You will see a "JFrog Job Summary" section.
  2. JFrog Platform: Navigate to the Application module, go to Artifactory > Evidence, and search for your artifact. You will see the GitHub SLSA provenance record attached to it.

Additional Information

Availability: Enterprise+

Notes:

  • Supports software supply chain security and compliance initiatives
  • Can be used as part of broader DevGovOps governance workflows
  • Only authorized users can create or view attestations.
  • Use evidence to satisfy internal or regulatory compliance requirements.

Updated 2 months ago