JFrog Evidence REST API
API for creating and attaching cryptographically signed evidence to artifacts, builds, packages, and release bundles, enabling supply chain verification and compliance attestation throughout the software delivery lifecycle.
OpenAPI Specification
openapi: 3.1.0
info:
title: JFrog Evidence REST API
description: >-
API for creating and attaching cryptographically signed evidence to artifacts,
builds, packages, and release bundles. Evidence files act as attestations
providing verified records of external processes such as test results,
vulnerability scans, and official approvals. Evidence is created as in-toto
statements wrapped in DSSE (Dead Simple Signing Envelope) format.
version: 1.x
contact:
name: JFrog
url: https://jfrog.com
license:
name: Proprietary
url: https://jfrog.com/terms-of-service/
termsOfService: https://jfrog.com/terms-of-service/
externalDocs:
description: JFrog Evidence Documentation
url: https://jfrog.com/help/r/jfrog-artifactory-documentation/create-evidence-using-rest-apis
servers:
- url: https://{server}.jfrog.io/evidence/api
description: JFrog Cloud
variables:
server:
default: myserver
description: Your JFrog server name
- url: https://{host}/evidence/api
description: Self-hosted JFrog instance
variables:
host:
default: localhost:8082
description: Your self-hosted JFrog server host
security:
- bearerAuth: []
tags:
- name: Evidence
description: Create and manage evidence attestations
- name: Verification
description: Verify evidence and retrieve verification status
paths:
/v1/evidence:
post:
operationId: createEvidence
summary: JFrog Create Evidence
description: >-
Creates a new evidence attestation and attaches it to a subject (artifact,
build, package, or release bundle). The evidence is signed as an in-toto
statement wrapped in a DSSE envelope, providing cryptographic verification
of the attestation. Requires an Enterprise+ subscription and Artifactory
7.104.2 or above.
tags:
- Evidence
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateEvidenceRequest'
responses:
'201':
description: Evidence created successfully
content:
application/json:
schema:
$ref: '#/components/schemas/Evidence'
'400':
description: Invalid evidence configuration or missing required fields
'401':
description: Unauthorized - access token required (basic auth not supported)
'404':
description: Subject not found
/v1/evidence/search:
post:
operationId: searchEvidence
summary: JFrog Search Evidence
description: >-
Searches for evidence records matching specified criteria. Supports
filtering by subject type, subject identifier, evidence type, and
time range.
tags:
- Evidence
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/EvidenceSearchRequest'
responses:
'200':
description: Evidence search results retrieved
content:
application/json:
schema:
type: object
properties:
evidence:
type: array
items:
$ref: '#/components/schemas/Evidence'
total_count:
type: integer
'400':
description: Invalid search criteria
/v1/evidence/{evidenceId}:
get:
operationId: getEvidence
summary: JFrog Get Evidence
description: Returns details for a specific evidence record, including its DSSE envelope and verification status.
tags:
- Evidence
parameters:
- name: evidenceId
in: path
required: true
schema:
type: string
description: Evidence record identifier
responses:
'200':
description: Evidence details retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/Evidence'
'404':
description: Evidence not found
delete:
operationId: deleteEvidence
summary: JFrog Delete Evidence
description: Removes an evidence record from the platform.
tags:
- Evidence
parameters:
- name: evidenceId
in: path
required: true
schema:
type: string
description: Evidence record identifier
responses:
'204':
description: Evidence deleted
'404':
description: Evidence not found
/v1/evidence/subject/artifact:
get:
operationId: getArtifactEvidence
summary: JFrog Get Artifact Evidence
description: Returns all evidence records attached to a specific artifact identified by repository path and SHA-256.
tags:
- Evidence
parameters:
- name: repo_path
in: query
required: true
schema:
type: string
description: Full artifact repository path
- name: sha256
in: query
schema:
type: string
description: SHA-256 checksum of the artifact
responses:
'200':
description: Artifact evidence retrieved
content:
application/json:
schema:
type: object
properties:
evidence:
type: array
items:
$ref: '#/components/schemas/Evidence'
'404':
description: Artifact not found
/v1/evidence/subject/build:
get:
operationId: getBuildEvidence
summary: JFrog Get Build Evidence
description: Returns all evidence records attached to a specific build.
tags:
- Evidence
parameters:
- name: build_name
in: query
required: true
schema:
type: string
description: Build name
- name: build_number
in: query
required: true
schema:
type: string
description: Build number
- name: project
in: query
schema:
type: string
description: Project key (if build is project-scoped)
responses:
'200':
description: Build evidence retrieved
content:
application/json:
schema:
type: object
properties:
evidence:
type: array
items:
$ref: '#/components/schemas/Evidence'
'404':
description: Build not found
/v1/evidence/subject/release-bundle:
get:
operationId: getReleaseBundleEvidence
summary: JFrog Get Release Bundle Evidence
description: Returns all evidence records attached to a specific release bundle version.
tags:
- Evidence
parameters:
- name: name
in: query
required: true
schema:
type: string
description: Release bundle name
- name: version
in: query
required: true
schema:
type: string
description: Release bundle version
- name: project
in: query
schema:
type: string
description: Project key
responses:
'200':
description: Release bundle evidence retrieved
content:
application/json:
schema:
type: object
properties:
evidence:
type: array
items:
$ref: '#/components/schemas/Evidence'
'404':
description: Release bundle not found
/v1/evidence/subject/package:
get:
operationId: getPackageEvidence
summary: JFrog Get Package Evidence
description: Returns all evidence records attached to a specific package.
tags:
- Evidence
parameters:
- name: package_name
in: query
required: true
schema:
type: string
description: Package name
- name: package_version
in: query
required: true
schema:
type: string
description: Package version
- name: repo_key
in: query
required: true
schema:
type: string
description: Repository key containing the package
responses:
'200':
description: Package evidence retrieved
content:
application/json:
schema:
type: object
properties:
evidence:
type: array
items:
$ref: '#/components/schemas/Evidence'
'404':
description: Package not found
/v1/evidence/{evidenceId}/verify:
get:
operationId: verifyEvidence
summary: JFrog Verify Evidence
description: >-
Verifies the cryptographic signature of an evidence record against
registered public keys. Returns the verification status and details.
tags:
- Verification
parameters:
- name: evidenceId
in: path
required: true
schema:
type: string
description: Evidence record identifier
responses:
'200':
description: Verification result returned
content:
application/json:
schema:
$ref: '#/components/schemas/VerificationResult'
'404':
description: Evidence not found
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
description: >-
Access token authentication. Note that basic authentication (username
and password) is not supported for the Evidence API.
schemas:
CreateEvidenceRequest:
type: object
properties:
subject_type:
type: string
description: Type of the subject to attach evidence to
enum:
- artifact
- build
- package
- release_bundle
subject:
type: object
description: Subject identifier (fields depend on subject_type)
properties:
repo_path:
type: string
description: Artifact repository path (for artifact subject)
sha256:
type: string
description: Artifact SHA-256 checksum (for artifact subject)
build_name:
type: string
description: Build name (for build subject)
build_number:
type: string
description: Build number (for build subject)
package_name:
type: string
description: Package name (for package subject)
package_version:
type: string
description: Package version (for package subject)
repo_key:
type: string
description: Repository key (for package subject)
release_bundle_name:
type: string
description: Release bundle name (for release_bundle subject)
release_bundle_version:
type: string
description: Release bundle version (for release_bundle subject)
project:
type: string
description: Project key for project-scoped subjects
predicate:
type: object
additionalProperties: true
description: The evidence predicate content (in-toto statement predicate)
predicate_type:
type: string
format: uri
description: URI identifying the predicate type (e.g., https://in-toto.io/attestation/vulns)
key_alias:
type: string
description: Alias of the public key registered for signature verification
dsse_envelope:
type: string
description: Pre-signed DSSE envelope (alternative to providing predicate and key)
required:
- subject_type
- subject
EvidenceSearchRequest:
type: object
properties:
subject_type:
type: string
enum: [artifact, build, package, release_bundle]
predicate_type:
type: string
format: uri
created_from:
type: string
format: date-time
created_to:
type: string
format: date-time
created_by:
type: string
limit:
type: integer
default: 25
offset:
type: integer
Evidence:
type: object
properties:
id:
type: string
description: Unique evidence record identifier
subject_type:
type: string
enum: [artifact, build, package, release_bundle]
subject:
type: object
additionalProperties: true
description: Subject identification details
predicate_type:
type: string
format: uri
description: URI of the predicate type
predicate:
type: object
additionalProperties: true
description: Evidence predicate content
dsse_envelope_path:
type: string
description: Path to the DSSE envelope file in Artifactory
signature_algorithm:
type: string
description: Cryptographic algorithm used for signing
enum: [ECDSA, RSA, ED25519]
key_alias:
type: string
description: Alias of the signing key
verified:
type: boolean
description: Whether the evidence signature has been verified
created:
type: string
format: date-time
created_by:
type: string
VerificationResult:
type: object
properties:
evidence_id:
type: string
verified:
type: boolean
description: Whether the signature is valid
verification_timestamp:
type: string
format: date-time
key_alias:
type: string
description: Alias of the public key used for verification
signature_algorithm:
type: string
enum: [ECDSA, RSA, ED25519]
errors:
type: array
items:
type: string
description: Verification errors, if any