Native integration of GitHub Artifact Attestations with JFrog Evidence for policy-driven governance #1148
Description
Value Prop
With increasing emphasis on software supply chain security and compliance, organizations need reliable ways to ensure only trusted artifacts are promoted and released. This integration enables organizations to use GitHub-generated artifact attestations, including provenance, SBOMs, and custom attestations, as signed, verifiable evidence within JFrog’s Evidence Collection. By supporting native ingestion of GitHub attestations, customers can automatically gate the promotion of artifacts in Artifactory based on the presence and validity of attestations created by trusted GitHub workflows.
Expected Outcome
With the integration enabled, attestations generated on GitHub are automatically ingested into JFrog Evidence Collection. These attestations can then be used to enforce policies that govern artifact promotion, release readiness, and compliance requirements. For example, organizations can require that only artifacts with valid, GitHub-signed attestations are eligible for promotion or deployment, ensuring that every release meets internal and regulatory standards before reaching production.