jfrog · mnsboev · Mar 19, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 19, 2026
diff --git a/evidence/cli/command/application/command_application.go b/evidence/cli/command/application/command_application.go
@@ -38,7 +38,11 @@ func (eac *evidenceApplicationCommand) CreateEvidence(ctx *components.Context, s
 		eac.ctx.GetStringFlagValue(flags.ApplicationKey),
 		eac.ctx.GetStringFlagValue(flags.ApplicationVersion),
 		eac.ctx.GetStringFlagValue(flags.ProviderId),
-		eac.ctx.GetStringFlagValue(flags.Integration))
+		eac.ctx.GetStringFlagValue(flags.Integration),
+		eac.ctx.GetStringFlagValue(flags.AttachLocal),
+		eac.ctx.GetStringFlagValue(flags.AttachTempTarget),
+		eac.ctx.GetStringFlagValue(flags.AttachArtifactory),
+	)
 	return eac.execute(createCmd)
 }
 

diff --git a/evidence/cli/command/artifacts/command_custom.go b/evidence/cli/command/artifacts/command_custom.go
@@ -42,7 +42,11 @@ func (ecc *evidenceCustomCommand) CreateEvidence(_ *components.Context, serverDe
 		ecc.ctx.GetStringFlagValue(flags.SubjectSha256),
 		ecc.ctx.GetStringFlagValue(flags.SigstoreBundle),
 		ecc.ctx.GetStringFlagValue(flags.ProviderId),
-		ecc.ctx.GetStringFlagValue(flags.Integration))
+		ecc.ctx.GetStringFlagValue(flags.Integration),
+		ecc.ctx.GetStringFlagValue(flags.AttachLocal),
+		ecc.ctx.GetStringFlagValue(flags.AttachTempTarget),
+		ecc.ctx.GetStringFlagValue(flags.AttachArtifactory),
+	)
 	return ecc.execute(createCmd)
 }
 

diff --git a/evidence/cli/command/build/command_build.go b/evidence/cli/command/build/command_build.go
@@ -40,7 +40,11 @@ func (ebc *evidenceBuildCommand) CreateEvidence(ctx *components.Context, serverD
 		ebc.ctx.GetStringFlagValue(flags.BuildName),
 		ebc.ctx.GetStringFlagValue(flags.BuildNumber),
 		ebc.ctx.GetStringFlagValue(flags.ProviderId),
-		ebc.ctx.GetStringFlagValue(flags.Integration))
+		ebc.ctx.GetStringFlagValue(flags.Integration),
+		ebc.ctx.GetStringFlagValue(flags.AttachLocal),
+		ebc.ctx.GetStringFlagValue(flags.AttachTempTarget),
+		ebc.ctx.GetStringFlagValue(flags.AttachArtifactory),
+	)
 	return ebc.execute(createCmd)
 }
 

diff --git a/evidence/cli/command/command_cli.go b/evidence/cli/command/command_cli.go
@@ -3,6 +3,10 @@ package command
 import (
 	"errors"
 	"fmt"
+	"os"
+	"slices"
+	"strings"
+
 	"github.com/jfrog/jfrog-cli-evidence/evidence/cli/command/application"
 	"github.com/jfrog/jfrog-cli-evidence/evidence/cli/command/artifacts"
 	"github.com/jfrog/jfrog-cli-evidence/evidence/cli/command/build"
@@ -12,9 +16,7 @@ import (
 	"github.com/jfrog/jfrog-cli-evidence/evidence/cli/command/package"
 	"github.com/jfrog/jfrog-cli-evidence/evidence/cli/command/releasebundle"
 	commandUtils "github.com/jfrog/jfrog-cli-evidence/evidence/cli/command/utils"
-	"os"
-	"slices"
-	"strings"
+	evdConfig "github.com/jfrog/jfrog-cli-evidence/evidence/config"
 
 	commonCliUtils "github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
 	"github.com/jfrog/jfrog-cli-core/v2/common/commands"
@@ -192,6 +194,9 @@ func validateCreateEvidenceCommonContext(ctx *components.Context) error {
 		if err := validateSigstoreBundleArgsConflicts(ctx); err != nil {
 			return err
 		}
+		if ctx.GetStringFlagValue(flags.AttachLocal) != "" || ctx.GetStringFlagValue(flags.AttachArtifactory) != "" {
+			return errorutils.CheckErrorf("attachments are supported only for in-toto flow and cannot be used with --%s", flags.SigstoreBundle)
+		}
 		return nil
 	}
 
@@ -234,6 +239,39 @@ func validateCreateEvidenceCommonContext(ctx *components.Context) error {
 	if !ctx.IsFlagSet(flags.KeyAlias) {
 		setKeyAliasIfProvided(ctx, flags.KeyAlias)
 	}
+	if err := validateAttachmentFlags(ctx); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateAttachmentFlags(ctx *components.Context) error {
+	attachLocal := ctx.GetStringFlagValue(flags.AttachLocal)
+	attachArtifactory := ctx.GetStringFlagValue(flags.AttachArtifactory)
+	attachTempTarget := ctx.GetStringFlagValue(flags.AttachTempTarget)
+
+	if attachLocal != "" && attachArtifactory != "" {
+		return errorutils.CheckErrorf("exactly one of --%s or --%s can be used", flags.AttachLocal, flags.AttachArtifactory)
+	}
+
+	if attachTempTarget != "" && attachLocal == "" {
+		return errorutils.CheckErrorf("--%s can be used only with --%s", flags.AttachTempTarget, flags.AttachLocal)
+	}
+
+	if attachLocal != "" && attachTempTarget == "" {
+		defaultTarget := evdConfig.ResolveAttachmentTempTarget()
+		if defaultTarget == "" {
+			return errorutils.CheckErrorf("--%s is required with --%s (or set %s / %s)", flags.AttachTempTarget, flags.AttachLocal, "EVIDENCE_ATTACHMENT_TEMP_TARGET", "attachment.tempTarget")
+		}
+		ctx.AddStringFlag(flags.AttachTempTarget, defaultTarget)
+	}
+
+	if attachLocal != "" && ctx.IsFlagSet(flags.AttachTempTarget) {
+		if err := evdConfig.PersistAttachmentTempTarget(ctx.GetStringFlagValue(flags.AttachTempTarget)); err != nil {
+			log.Warn("error persisting attachment temp target: %w", err)
+			return nil
+		}
+	}
 	return nil
 }
 
@@ -252,6 +290,15 @@ func validateSigstoreBundleArgsConflicts(ctx *components.Context) error {
 	if ctx.IsFlagSet(flags.PredicateType) && ctx.GetStringFlagValue(flags.PredicateType) != "" {
 		conflictingParams = append(conflictingParams, "--"+flags.PredicateType)
 	}
+	if ctx.IsFlagSet(flags.AttachLocal) && ctx.GetStringFlagValue(flags.AttachLocal) != "" {
+		conflictingParams = append(conflictingParams, "--"+flags.AttachLocal)
+	}
+	if ctx.IsFlagSet(flags.AttachTempTarget) && ctx.GetStringFlagValue(flags.AttachTempTarget) != "" {
+		conflictingParams = append(conflictingParams, "--"+flags.AttachTempTarget)
+	}
+	if ctx.IsFlagSet(flags.AttachArtifactory) && ctx.GetStringFlagValue(flags.AttachArtifactory) != "" {
+		conflictingParams = append(conflictingParams, "--"+flags.AttachArtifactory)
+	}
 
 	if len(conflictingParams) > 0 {
 		return errorutils.CheckErrorf("The following parameters cannot be used with --%s: %s. These values are extracted from the bundle itself:", flags.SigstoreBundle, strings.Join(conflictingParams, ", "))

diff --git a/evidence/cli/command/command_cli_test.go b/evidence/cli/command/command_cli_test.go
@@ -32,10 +32,10 @@ func TestCreateEvidence_Context(t *testing.T) {
 	// Set up test environment variables for this test suite only
 	originalServerID := os.Getenv("JFROG_CLI_SERVER_ID")
 	originalURL := os.Getenv("JFROG_CLI_URL")
-	
+
 	_ = os.Setenv("JFROG_CLI_SERVER_ID", "test-server")
 	_ = os.Setenv("JFROG_CLI_URL", "https://test.jfrog.io")
-	
+
 	defer func() {
 		if originalServerID != "" {
 			_ = os.Setenv("JFROG_CLI_SERVER_ID", originalServerID)
@@ -259,10 +259,10 @@ func TestVerifyEvidence_Context(t *testing.T) {
 	// Set up test environment variables for this test suite only
 	originalServerID := os.Getenv("JFROG_CLI_SERVER_ID")
 	originalURL := os.Getenv("JFROG_CLI_URL")
-	
+
 	_ = os.Setenv("JFROG_CLI_SERVER_ID", "test-server")
 	_ = os.Setenv("JFROG_CLI_URL", "https://test.jfrog.io")
-	
+
 	defer func() {
 		if originalServerID != "" {
 			_ = os.Setenv("JFROG_CLI_SERVER_ID", originalServerID)
@@ -831,3 +831,49 @@ func TestValidateSonarQubeRequirements(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateCreateEvidenceCommonContext_Attachments(t *testing.T) {
+	app := cli.NewApp()
+	app.Commands = []cli.Command{{Name: "create"}}
+	ctx := cli.NewContext(app, &flag.FlagSet{}, nil)
+
+	t.Run("local and artifactory conflict", func(t *testing.T) {
+		c, err := components.ConvertContext(ctx,
+			test.SetDefaultValue(flags.SubjectRepoPath, "repo/path/file"),
+			test.SetDefaultValue(flags.Predicate, "/tmp/p.json"),
+			test.SetDefaultValue(flags.PredicateType, "ptype"),
+			test.SetDefaultValue(flags.Key, "k"),
+			test.SetDefaultValue(flags.AttachLocal, "/tmp/a.txt"),
+			test.SetDefaultValue(flags.AttachArtifactory, "repo/other/a.txt"),
+		)
+		assert.NoError(t, err)
+		assert.Error(t, validateCreateEvidenceCommonContext(c))
+	})
+
+	t.Run("temp target from env", func(t *testing.T) {
+		assert.NoError(t, os.Setenv("EVIDENCE_ATTACHMENT_TEMP_TARGET", "repo/tmp/"))
+		defer func() { _ = os.Unsetenv("EVIDENCE_ATTACHMENT_TEMP_TARGET") }()
+		c, err := components.ConvertContext(ctx,
+			test.SetDefaultValue(flags.SubjectRepoPath, "repo/path/file"),
+			test.SetDefaultValue(flags.Predicate, "/tmp/p.json"),
+			test.SetDefaultValue(flags.PredicateType, "ptype"),
+			test.SetDefaultValue(flags.Key, "k"),
+			test.SetDefaultValue(flags.AttachLocal, "/tmp/a.txt"),
+		)
+		assert.NoError(t, err)
+		assert.NoError(t, validateCreateEvidenceCommonContext(c))
+		assert.Equal(t, "repo/tmp/", c.GetStringFlagValue(flags.AttachTempTarget))
+	})
+
+	t.Run("temp target without local", func(t *testing.T) {
+		c, err := components.ConvertContext(ctx,
+			test.SetDefaultValue(flags.SubjectRepoPath, "repo/path/file"),
+			test.SetDefaultValue(flags.Predicate, "/tmp/p.json"),
+			test.SetDefaultValue(flags.PredicateType, "ptype"),
+			test.SetDefaultValue(flags.Key, "k"),
+			test.SetDefaultValue(flags.AttachTempTarget, "repo/tmp/"),
+		)
+		assert.NoError(t, err)
+		assert.Error(t, validateCreateEvidenceCommonContext(c))
+	})
+}
diff --git a/evidence/cli/command/flags/command_flags.go b/evidence/cli/command/flags/command_flags.go
@@ -45,6 +45,9 @@ const (
 	UseArtifactoryKeys = "use-artifactory-keys"
 	Integration        = "integration"
 	SigstoreBundle     = "sigstore-bundle"
+	AttachLocal        = "attach-local"
+	AttachTempTarget   = "attach-temp-target"
+	AttachArtifactory  = "attach-artifactory"
 	ArtifactsLimit     = "artifacts-limit"
 	UploadPublicKey    = "upload-public-key"
 	KeyFilePath        = "key-file-path"
@@ -85,6 +88,9 @@ var flagsMap = map[string]components.Flag{
 	ProviderId:         components.NewStringFlag(ProviderId, "Provider ID for the evidence.", func(f *components.StringFlag) { f.Mandatory = false }),
 	PublicKeys:         components.NewStringFlag(PublicKeys, "Array of paths to public keys for signatures verification with \";\" separator. Supported keys: 'ecdsa','rsa' and 'ed25519'.", func(f *components.StringFlag) { f.Mandatory = false }),
 	SigstoreBundle:     components.NewStringFlag(SigstoreBundle, "Path to a Sigstore bundle file with a pre-signed DSSE envelope. Incompatible with --"+Key+", --"+KeyAlias+", --"+Predicate+", --"+PredicateType+" and --"+SubjectSha256+".", func(f *components.StringFlag) { f.Mandatory = false }),
+	AttachLocal:        components.NewStringFlag(AttachLocal, "Path to a local file to attach to created evidence. Incompatible with --"+AttachArtifactory+".", func(f *components.StringFlag) { f.Mandatory = false }),
+	AttachTempTarget:   components.NewStringFlag(AttachTempTarget, "Temporary upload target for --"+AttachLocal+" in format <repo/path[/name]>. Use trailing slash for directory targets.", func(f *components.StringFlag) { f.Mandatory = false }),
+	AttachArtifactory:  components.NewStringFlag(AttachArtifactory, "Existing Artifactory file path to attach in format <repo/path>.", func(f *components.StringFlag) { f.Mandatory = false }),
 	UseArtifactoryKeys: components.NewBoolFlag(UseArtifactoryKeys, "Use Artifactory keys for verification. When enabled, the verify command retrieves keys from Artifactory.", components.WithBoolDefaultValueFalse()),
 	ArtifactsLimit:     components.NewStringFlag(ArtifactsLimit, "The number of artifacts in a release bundle to be included in the evidences file. The default value is 1000 artifacts", func(f *components.StringFlag) { f.Mandatory = false }),
 	Integration:        components.NewStringFlag(Integration, "Specify an integration to automatically generate the Predicate. Supported: 'sonar'. When using 'sonar', the 'SONAR_TOKEN' or 'SONARQUBE_TOKEN' environment variable must be set.", func(f *components.StringFlag) { f.Mandatory = false }),
@@ -120,6 +126,9 @@ var commandFlags = map[string][]string{
 		ProviderId,
 		Integration,
 		SigstoreBundle,
+		AttachLocal,
+		AttachTempTarget,
+		AttachArtifactory,
 	},
 	VerifyEvidence: {
 		Url,

diff --git a/evidence/cli/command/github/command_github.go b/evidence/cli/command/github/command_github.go
@@ -43,7 +43,11 @@ func (ebc *evidenceGitHubCommand) CreateEvidence(ctx *components.Context, server
 		ebc.ctx.GetStringFlagValue(flags.Project),
 		ebc.ctx.GetStringFlagValue(flags.BuildName),
 		ebc.ctx.GetStringFlagValue(flags.BuildNumber),
-		ebc.ctx.GetStringFlagValue(flags.TypeFlag))
+		ebc.ctx.GetStringFlagValue(flags.TypeFlag),
+		ebc.ctx.GetStringFlagValue(flags.AttachLocal),
+		ebc.ctx.GetStringFlagValue(flags.AttachTempTarget),
+		ebc.ctx.GetStringFlagValue(flags.AttachArtifactory),
+	)
 	return ebc.execute(createCmd)
 }
 

diff --git a/evidence/cli/command/package/command_package.go b/evidence/cli/command/package/command_package.go
@@ -40,7 +40,11 @@ func (epc *evidencePackageCommand) CreateEvidence(ctx *components.Context, serve
 		epc.ctx.GetStringFlagValue(flags.PackageVersion),
 		epc.ctx.GetStringFlagValue(flags.PackageRepoName),
 		epc.ctx.GetStringFlagValue(flags.ProviderId),
-		epc.ctx.GetStringFlagValue(flags.Integration))
+		epc.ctx.GetStringFlagValue(flags.Integration),
+		epc.ctx.GetStringFlagValue(flags.AttachLocal),
+		epc.ctx.GetStringFlagValue(flags.AttachTempTarget),
+		epc.ctx.GetStringFlagValue(flags.AttachArtifactory),
+	)
 	return epc.execute(createCmd)
 }
 

diff --git a/evidence/cli/command/releasebundle/command_release_bundle.go b/evidence/cli/command/releasebundle/command_release_bundle.go
@@ -42,7 +42,11 @@ func (erc *evidenceReleaseBundleCommand) CreateEvidence(ctx *components.Context,
 		erc.ctx.GetStringFlagValue(flags.ReleaseBundle),
 		erc.ctx.GetStringFlagValue(flags.ReleaseBundleVersion),
 		erc.ctx.GetStringFlagValue(flags.ProviderId),
-		erc.ctx.GetStringFlagValue(flags.Integration))
+		erc.ctx.GetStringFlagValue(flags.Integration),
+		erc.ctx.GetStringFlagValue(flags.AttachLocal),
+		erc.ctx.GetStringFlagValue(flags.AttachTempTarget),
+		erc.ctx.GetStringFlagValue(flags.AttachArtifactory),
+	)
 	return erc.execute(createCmd)
 }