Merge pull request #96 from JustinCappos/main

JustinCappos · web-flow · commit 58a92a4b5259 · 2025-09-12T13:58:42.000-04:00
JFrog integration added to friends.
diff --git a/README.md b/README.md
@@ -29,6 +29,7 @@ This section lists software systems, services, or platforms that integrate with
 | GUAC             |<img src="img/Integrations_logo/Guac_logo.png" width="50" height="50">| GUAC has the ability to ingest and parse SLSA and other in-toto ITE6 attestations (either wrapped in DSSE or standalone). |
 | Hoppr            |<img src="img/Integrations_logo/Hoppr_logo.png" width="50" height="50">| Hoppr leverages the in-toto python package to generate in-toto layout files based on a hoppr transfer configuration. |
 | Jenkins          |<img src="img/Integrations_logo/Jenkins_logo.png" width="50" height="50">| The in-toto team maintains a plugin for Jenkins that can be used to generate in-toto metadata pertaining to a particular build or "job". |
+| JFrog          |<img src="img/Integrations_logo/JFrog_logo.png" width="50" height="50">| JFrog Artifact ensures the integrity of evidence predicates and payloads using in-toto |
 | rebuilderd       || Rebuilderd is a build system project part of Reproducible Builds. When the result of a rebuild is positive, i.e., the build process is found to be reproducible, rebuilderd generates an in-toto link recording this result. |
 | Sigstore         |<img src="img/Integrations_logo/Sistore_logo.png" width="50" height="50">| In-toto and Sigstore are complementary in their efforts, and Sigstore integrates in-toto in a number of ways. Sigstore's keyless signing can be used to sign in-toto metadata, as demonstrated by Cosign's SLSA Provenance generation. |
 | Tekton Chains    | <img src="img/Integrations_logo/Tekton_logo.png" width="50" height="50">| Tekton Chains is a component for Tekton that adds software supply chain security. Chains observes all "TaskRuns" or jobs that are executed, and generates an in-toto attestation. |
diff --git a/img/Integrations_logo/JFrog_logo.png b/img/Integrations_logo/JFrog_logo.png
diff --git a/jfrog/README.md b/jfrog/README.md
@@ -0,0 +1,5 @@
+JFrog Artifactory leverages a secure evidence‑management mechanism: using the JFrog CLI, users can attach cryptographically signed evidence files—containing metadata like test results, scans, or approvals—to artifacts, packages, builds, or Release Bundles. These evidence files are stored directly alongside the subject in Artifactory, automatically named, and structured into Evidence Predicate, Evidence Payload, and Evidence Envelope layers to support tamper‑evident provenance and auditability.
+
+In addition, Artifactory creates internal evidence associated with [Release Lifecycle Management](https://jfrog.com/help/r/TFrtp_Jcpcw1vmlHZ63Gmw/sR3bhjas8cMCjjN7OhfJvQ) operations, such as Release Bundle v2 [promotion](https://jfrog.com/help/r/TFrtp_Jcpcw1vmlHZ63Gmw/jeEaCKfkjVj14b429xjgzg) and [distribution](https://jfrog.com/help/r/TFrtp_Jcpcw1vmlHZ63Gmw/HUHhGUVqRv2fVs87_lDgyA). When integrated with JFrog Xray, each Release Bundle v2 promotion results in the creation of additional evidence, such as scan results and an SBOM.
+References
+https://jfrog.com/help/r/jfrog-artifactory-documentation/understanding-evidence-files
