Search Evidence (GraphQL)

Description: Returns the requested data from all evidence records associated with the specified subject, as defined by the One Model GraphQL query. Use the Get Evidence API to return the details of a specific evidence file returned by this API.

❗️
Important
When operating in a Self-Hosted environment, you must enable the Evidence service in the system.yaml file as a prerequisite to using this endpoint. Add the following:
evidence:
  enabled: true

Security: Requires a valid token; requires Read permissions to the subject repository

Usage: POST /onemodel/api/v1/graphql

Sample query:

query {
  evidence {
    searchEvidence(
      where: {
        hasSubjectWith: {
          repositoryKey: "my-repo-key"
          path: "images"
          name: "my-artifact.jar"
        }
      }
    ) {
      totalCount
      edges {
        node {
          name
          predicateType
        }
      }
    }
  }
}

Input Types

Input Type	Field	Required/Optional	Type	Description
EvidenceWhereInput	`hasSubjectWith`	required	`EvidenceSubjectWhereInput` !	Subject parameters to search for evidence.
EvidenceSubjectWhereInput	`repositoryKey`	required	string	The repository key where the evidence is stored.
	`path`	required	string	The full path to the evidence.
	`name`	required	string	The name of the evidence file.
	`sha256`	optional	sha256	The SHA-256 checksum of the subject (can be used for precise matching).
EvidenceSubjectToEvidenceWhereInput	`predicateCategory`	optional	string	Filters by predicate category (for example, distribution).
	`predicateType`	optional	string	Filters by predicate type.
	`verified`	optional	boolean	Filters by verification status.
	`createdBy`	optional	string	Filters by creator.
	`stageName`	optional	string	Filters by stage (dev, qa, etc.).
	`createdAfter`	optional	date	Filters by evidence created on or after a defined date.
	`createdBefore`	optional	date	Filters by evidence created on or before a defined date.
EvidenceOrderInput	field	required	`EvidenceOrderField`!	Field to order results by (e.g., `CREATED_AT` , `NAME` ).
	direction	optional	!	Direction to order by, `ASC` (ascending - default) or `DESC` (descending).

Output Types

The output types that you include in the search query determine the output you receive from the search results.

Evidence Type

This type represents a single evidence record.

Field	Type	Description
`id`	string	A unique identifier.
`downloadPath`	string	The full path for downloading the evidence JSON file.
`name`	string	The name of the evidence file (for example, sbom.cyclonedx.json).
`sha256`	sha256	The checksum of the evidence file.
`subject`	EvidenceSubject	Details about the evidence subject.
`predicateType`	string	The URI type associated with the predicate.
`predicateSlug`	string	A simplified version of the `predicateType` provided for better readability. For example, the predicateType https://jfrog.com/evidence/release-bundle/v1 is shortened to release-bundle.
`predicate`	JSON	The contents of the claims contained in the evidence file. For more information, see Evidence Payload.
`createdAt`	date	The timestamp of when the evidence file was created.
`createdBy`	string	The user or server who created the evidence.
`verified`	boolean	Indicates whether the evidence signature has been verified using the public key.
`signingKey`	EvidenceSigningKey	The name of the public key used to verify the evidence.
`providerId`	string	The ID of the system that provided the evidence.
`stageName`	string	The stage at which the evidence was added to the subject.

EvidenceSubject Type

This type describes the artifact or build that represents the evidence subject.

Field	Type	Description
`repositoryKey`	string	The repository that contains the subject.
`fullPath`	string	The full path to the file (`repositoryKey/path/name`).
`evidenceConnection`	EvidenceConnection	Connection to evidence associated with this subject (supports filtering & ordering).

EvidenceSigningKey Type

This type represents the key used to sign the evidence.

Field	Type	Description
`alias`	string	The alias of the signing key (for example, GPG-RSA).
`publicKey`	string	The public key used to verify the evidence signature.

📘
Tip
We recommend limiting the response data to those fields that are actually of interest. It is also recommended to avoid including fields such as predicate, which are relatively data-heavy. After returning the list of evidence files associated with the subject, you can use the Get Evidence API to return the predicate (that is, the contents) of the specific evidence file you are interested in.

📘
Note
For details about fields that are common across all One Model domains, see One Model GraphQL Common Types and Conventions.

Status Codes

Code	Message	Description
200	OK	The request was successful.
401	Bad Credentials	The request failed because the authentication token is invalid or expired.
403	Permission Denied	The request failed because the authenticated user does not have the required Read permissions for the subject repository.

Search Evidence – Examples

The following examples demonstrate how to use the Search Evidence API effectively:

Example 1: Find all evidence for an artifact
Example 2: Find evidence by checksum
Example 3: Paginate through all evidence for an artifact
Example 4: Find the latest verified security scan
Example 5: Create a full audit trail for an artifact
Example 6: Cross-reference a security scan with build information

Example 1: Find all evidence for an artifact

This common use case finds all attestations for a given artifact.

query FindAllEvidenceForArtifact {
  evidence {
    searchEvidence(
      first: 20
      where: {
        hasSubjectWith: {
          repositoryKey: "docker-local"
          path: "my-app/latest"
          name: "manifest.json"
        }
      }
    ) {
      totalCount
      edges {
        node {
          name
          predicateType
          verified
          createdBy
        }
      }
    }
  }
}

Example 2: Find evidence by checksum

Using the SHA-256 checksum, you can find all evidence attached to an artifact, regardless of its name or path. This is a highly reliable method for identifying artifact evidence.

query FindEvidenceByChecksum {
  evidence {
    searchEvidence(
      where: {
        hasSubjectWith: {
          sha256: "7ab0a6527f661c55b02b29fbb3b7d2a7313215c1140337b0cd980d06c3975a14"
          repositoryKey: "npm-local" # Repository is still needed for scoping
        }
      }
    ) {
      edges {
        node {
          name
          verified
          subject {
            name
            path
          }
        }
      }
    }
  }
}

Example 3: Paginate through all evidence for an artifact

If an artifact has many evidence records, you might need to paginate through the results to retrieve all of them.

Fetch the first page and the endCursor.

query SearchAndPaginate_Page1 {
  evidence {
    searchEvidence(
      first: 10
      where: { hasSubjectWith: { repositoryKey: "generic-local", name: "large-component.zip" } }
    ) {
      edges {
        node { name }
      }
      pageInfo {
        hasNextPage
        endCursor # <-- Save this value
      }
    }
  }
}

Use the endCursor to fetch the next page.

query SearchAndPaginate_Page2 {
  evidence {
    searchEvidence(
      first: 10
      after: "CURSOR_FROM_PAGE_1" # <-- Use the cursor from the previous query
      where: { hasSubjectWith: { repositoryKey: "generic-local", name: "large-component.zip" } }
    ) {
      edges {
        node { name }
      }
      pageInfo {
        hasNextPage
        endCursor
      }
    }
  }
}

Example 4: Find the latest verified security scan

This workflow demonstrates a common policy enforcement scenario. The query fetches all evidence for an artifact. Your client-side code would then iterate through the results to find the most recent, verified security scan and check its contents.

query FindLatestVerifiedScan {
  evidence {
    searchEvidence(
      first: 50 # Fetch a large number to ensure you get all relevant scans
      where: {
        hasSubjectWith: {
          repositoryKey: "libs-release-local"
          name: "critical-library.jar"
        }
      }
    ) {
      edges {
        node {
          name
          predicateSlug # e.g., "xray-scan-v1"
          verified
          createdAt
          predicate
        }
      }
    }
  }
}

The client-side logic is as follows:

Filter the results where predicateSlug matches your security scan type (for example, xray-scan-v1).
Find the record with the most recent createdAt date from the filtered list.
Check whether verified is true.
Parse the predicate JSON to check for critical vulnerabilities.
Pass or fail the policy based on the results.

Example 5: Create a full audit trail for an artifact

This workflow demonstrates how to combine search and get to create a detailed audit trail. First, you find an artifact using its unique checksum. Next, you identify a specific piece of evidence (like an SBOM) from the search results. Finally, use the details from the search results to fetch the full evidence content using a getEvidence query.

Search for the artifact and identify the target evidence.

query FindArtifactAndEvidencePath {
  evidence {
    searchEvidence(
      where: {
        hasSubjectWith: {
          sha256: "7ab0a6527f661c55b02b29fbb3b7d2a7313215c1140337b0cd980d06c3975a14"
          repositoryKey: "generic-local"
        }
      }
    ) {
      edges {
        node {
          # Identify the evidence you want to inspect further
          name
          downloadPath
          predicateSlug
        }
      }
    }
  }
}

Use details from the search to get the complete evidence.

The client-side logic is as follows:

Run the query in step 1 above.
Iterate through the results and find the evidence with the desired predicateSlug (for example, cyclonedx-sbom-v1).
Extract the downloadPath and name for that evidence.
Use the details to perform a getEvidence query to retrieve the full predicate for deep inspection.

Example 6: Cross-reference a security scan with build information

This advanced workflow ensures that a security scan corresponds to a specific build. You search for an artifact, find its security scan evidence, and then get the full predicate to extract a build identifier.

Search for an artifact to find its security scan.

query FindSecurityScanForArtifact {
  evidence {
    searchEvidence(
      where: {
        hasSubjectWith: {
          repositoryKey: "my-app-builds"
          name: "my-app-1.2.3.zip"
        }
      }
    ) {
      edges {
        node {
          name
          predicateSlug
          downloadPath
        }
      }
    }
  }
}

Get the full predicate of the scan to find the build ID.

The client-side logic is as follows:

Run the query in step 1.
Filter the results to find the node with a predicateSlug that matches your scan type.
Use the downloadPath and name from the node to run a getEvidence query.
Parse the predicate JSON to find a field such as build_id or source_commit_hash.
Cross-reference this identifier with your CI server or other build evidence to confirm the scan is for the correct version.