# JFrog Evidence Collection
*This integration is available from SonarQube Server Enterprise Edition.*
{% hint style="success" %}
To set up your pipeline to use the JFrog CLI to create the Sonar evidence, see the [JFrog pipelines documentation](https://jfrog.com/help/r/jfrog-pipelines-documentation/jfrog-pipelines).
{% endhint %}
The [JFrog Evidence Collection](https://jfrog.com/evidence/) expands JFrog’s Release Lifecycle Management capabilities to enrich artifacts, builds, and release bundles with signed attestation metadata that can be easily tracked and verified for governance and compliance.
SonarQube Server integrates with JFrog Evidence Collection to provide trusted auditing for software packages.
## Prerequisites
* SonarQube Server Enterprise Edition
* JFrog Artifactory Enterprise+ license
* Minimum JFrog CLI version: 2.78.9
## Integration overview
The [JFrog CLI](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli) is used within the CI pipeline to create the Sonar evidence that will be displayed on the JFrog platform. This evidence contains the quality gate status computed by SonarQube Server and made accessible via its API.
The figure below shows the process:
1. The CI pipeline starts the SonarQube analysis.
2. The SonarScanner performs the analysis and sends the results to SonarQube Server .
3. SonarQube Server processes the analysis results and computes the quality gate status.
4. The CI pipeline asks JFrog CLI to create the Sonar evidence for the analysis.
5. The JFrog CLI, which waits for the analysis completion, retrieves SonarQube analysis evidence payload from SonarQube Server's endpoint: `/api/v2/dop-translation/jfrog-evidence/` (see the [#example-of-a-sonar-endpoint-response](#example-of-a-sonar-endpoint-response "mention") expandable below).
You must set up your pipeline to use the JFrog CLI to create the Sonar evidence. See the [JFrog pipelines documentation](https://jfrog.com/help/r/jfrog-pipelines-documentation/jfrog-pipelines).
## Example of a Sonar endpoint response
The endpoint response contains the evidence payload in JSON format with a markdown section.
```json
{
"predicateType":"https://jfrog.com/evidence/sonarqube/v1",
"predicate":{
"projectStatus":{
"status":"ERROR",
"ignoredConditions":false,
"caycStatus":"non-compliant",
"conditions":[
{
"status":"ERROR",
"metricKey":"new_coverage",
"comparator":"LT",
"errorThreshold":"85",
"actualValue":"82.50562381034781"
},
{
"status":"OK",
"metricKey":"skipped_tests",
"comparator":"GT",
"actualValue":"0"
}
],
"period":{
"mode":"last_version",
"date":"2000-04-27T00:45:23+0200",
"parameter":"2015-12-07"
}
}
},
"createdAt": "2222-01-01T00:00:00.000Z",
"createdBy": "SonarQube",
"markdown": "# SVG in Markdown example\n\n## Details\n\n- **Type**: svg examples\n\nThis demonstrates the syntax for embedding an SVG without a separate file.\n\n!"
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-server/2026.2/discovering/integrations/jfrog.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.