Evidence Service
Last updated
Last updated
This page describes how to use the JFrog CLI to create external files, which are then deployed to Artifactory. You can create evidence for:
Artifacts
Packages
Builds
Release Bundles v2
Note
The Evidence service requires Artifactory 7.104.2 or above.
The ability for users to attach external evidence to Artifactory, as described here, requires an Enterprise+ subscription.
The ability to collect internal evidence generated by Artifactory requires a Pro subscription or above. Internal evidence generated by Xray requires a Pro X subscription or above.
In the current release, an evidence file can be signed with one key only.
The maximum size evidence file supported by Artifactory is 16MB.
For more information about the API used for deploying evidence to Artifactory, see .
To deploy external evidence, use an access token or the web login mechanism for authentication. Basic authentication (username/password) is not supported.
JFrog CLI uses the following syntax for creating evidence:
Artifact Evidence
Package Evidence
Build Evidence
Release Bundle v2 Evidence
--predicate
file-path
Mandatory field.
Defines the path to a locally-stored, arbitrary json file that contains the predicates.
--predicate-type
predicate-type-uri
Mandatory field.
The type of predicate defined by the json file. Sample predicate type uris include:
--key
local-private-key-path
Optional path for a private key (see Tip below). Supported key types include:
Tip
You can define the key using the
JFROG_CLI_SIGNING_KEY
environment variable as an alternative to using the--key
command parameter. If the environment variable is not defined, the--key
command is mandatory.
Note
Two key formats are supported: PEM and SSH
--key-alias
RSA-1024
Optional case-sensitive name for the public key created from the private key. The public key is used to verify the DSSE envelope that contains the evidence.
If the key-alias
is included, DSSE verification will fail if the same key-name
is not found in Artifactory.
If the key-alias
is not included, DSSE verification with the public key is not performed during creation.
Tip
You can define a key alias using the
JFROG_CLI_KEY_ALIAS
environment variable as an alternative to using the--key-alias
command parameter.
Note
In the unlikely event the public key is deleted from Artifactory, it may take up to 4 hours for the Evidence service to clear the key from the cache. Evidence can still be signed with the deleted key during this time.
--markdown
md file
Optional path to a file that contains evidence formatted in markdown.
--subject-repo-path
target-path
Mandatory field.
Each evidence file must have a single subject only and must include the path. Artifacts located in local repositories aggregated inside virtual repositories are supported (evidence is added to the local path).
--subject-sha256
digest
Optional digest (sha256) of the artifact.
If a digest is provided, it is verified against the subject's sha256 as it appears in Artifactory.
If a digest is not provided, the sha256 is taken from the path in Artifactory.
--package-name
name
Mandatory field.
--package-version
version-number
Mandatory field.
--package-repo-key
repo-name
Mandatory field.
--build-name
name
Mandatory field unless environment variables are used (see tip below).
--build-number
version-number
Mandatory field unless environment variables are used (see tip below).
Tip
You can use the
FROG_CLI_BUILD_NAME
andFROG_CLI_BUILD_NUMBER
environment variables as an alternative to the build command parameters.
--release-bundle
name
Mandatory field.
--release-bundle-version
version-number
Mandatory field.
Note
When DSSE verification is successful, the following message is displayed:
When DSSE verification is unsuccessful, the following message is displayed:
Artifact Evidence Sample
In the sample above, the command creates a signed evidence file with a predicate type of SLSA provenance for an artifact named file.txt.
Package Evidence Sample
Build Evidence Sample
Release Bundle v2 Evidence Sample