Artifactory enables you to attach evidence (signed metadata) to a designated subject, such as an artifact, build, package, or Release Bundle v2. These evidence files provide a record of an external process performed on the subject, such as test results, vulnerability scans, or official approval.
In this training we will exrsize the process of attaching different types of evidences, including:
- Package evidence
- Build evidence
- Release Bundle evidence
- Approval evidence
- CyclonDX evidence
We will also experience validating the existing evidences, and apply an OPA (Open Policy Engine) policy in order to control the Release bundle promotion flow
These are the steps we will cover suring our training:
- Prerequisites
- Initial configuration
- Running the build workflow
- Try the promotion workflow
- Configure missing evidences
- Configre Approval evidence
- Configure Sbom evidence
- Re-Run the promotion workflow
- Bonus step: Add approver validation
Note For more information about evidence on the JFrog platform, see the following resources:
- Help center
- GitHub public evidence examples
- Evidence solution sheet
- Training Deck
- FAQ page
- Evidence service confluence space
For more information related to OPA (Open Policy Agent) see the following resources:
- Create a dedicated OCI repository in solenglatest.jfrog.io and assign it to DEV environment.
- Create another dedicated OCI repository in solenglatest.jfrog.io and assign it to QA environment.
- Create a evidence signing key using the following commands:
openssl genrsa -out private.pem 2048 openssl rsa -in private.pem -pubout -out public.pem - Upload the public key to solenglatest.jfrog.io using the public keys screen.
- Use pbcopy to copy the public key to the artifactory UI to make sure no special characters are copied, for example:
cat public.pem | pbcopy
- Use pbcopy to copy the public key to the artifactory UI to make sure no special characters are copied, for example:
In this step you will configure your environment to be able to run the evidence github workflow we will be using throughout the training
- Fork the evidence-training repository.
- Add your name as a prefix to the build name, in the build.yml file.
- Update the REPO_NAME variable in th build.yml workflow file to the OCI dev repository you have created.
- Add the following github actions variables/secrets:
- Variables:
- ARTIFACTORY_URL - https://solenglatest.jfrog.io.
- Secrets:
- ARTIFACTORY_ACCESS_TOKEN - generate an access token (Not a reference token) to be used by docker login.
- PRIVATE_KEY - The evidence signing key you have generated as part of preparing to the training.
- KEY_ALIAS - the alias of the public key you uploaded to the platform.
- RB_KEY - a signing key that will be used to sign the Release bundle (If you do not have one you can use
evidence-demo-rbv2-key).
- Variables:
In this step we will run the build workflow for the first time and review the results.
- Navigate to the build workflow, and run it.
- Review the build summery and see which steps and resources were created as part of the workflow.
- Navigate to the release bundle in the JFrog platform using the link in the summary page.
- Navigate to the evidence graph tab and review the evidences, created as part of this build.
- Make sure that all evidences were verified using the public key.
In this step you will try to promote the release bundle to QA.
- Navigate to the promote workflow, and run it. You should pass an existing release bundle number as an input to the workflow.
- Check if the workflow completed successfully.
- If it did not try and figure out why the workflow failed by reviewing the following files:
- ./github/build.yml
- ./github/promote.yml
- ./scripts/graphql.sh
- ./scripts/graphql_query.gql
- ./policy/policy.rego
In this step we will configur the missing evidences so the workflow can path the policy validation.
- Uncomment the
Approve release-bundlestep in the build workflow. - Enable Xray indexing for the release bundle created by the build workflow.
In this step we will re-run the promotion workflow again, after adding all of the evidences expected by the policy.
- Navigate to the build workflow, and run it again.
- Make sure the workflow completese successfully.
- Navigate to the release bundle in the JFrog platform using the link in the summary page.
- Navigate to the evidence graph tab and review the evidences, created as part of the updated build.
- Check that all of the relevan evidences were created successfully, you should see approval evidence and SBOM evidence attached to the release bundle.
- Navigate to the promote workflow, and run it again.
- Make sure the workflow completese successfully.
- Review the approval evidence content, and check which data is included in the evidence. Where is this data comming from?
In this step we will add a validation who can approve the release bundle. Currently the workflow sets the approver in the approval evidence to be the actor running the workflow, but this can be changed to a human approver, based on input parameters.
- Navigate to the policy under:
./policy/policy.rego - Edit the policy file and uncomment the approver policy lines (23-26, 31, 38)
- Navigate to the promote workflow, and run it. It will fail.
- Check why the policy failed (look at the workflow run log).
- Change the approver name in line 31 to your github user name (This is the default actor running the workflows in github).
-
- Navigate to the promote workflow, and run it again. Now the approval should pass.