Release History

Current

13th February 2026

[NEW] PublishRepositories Attestation: Track repository URLs and publication timestamps for artifacts to provide comprehensive provenance
[NEW] PublishRepositories Policy: Ensure artifacts are sourced from trusted repositories with automated policy enforcement
[NEW] API Error Reference: Standardizes API error responses using RFC 7807 and introduces a detailed reference guide for faster troubleshooting
[IMPROVED] System Performance: Improved concurrency and reduced resource overhead during large-scale attestation generation via optimized build event processing
[IMPROVED] Observability & Monitoring: Enhanced visibility with unified HTTP client metrics, allowing operators to track success rates and latencies for Develocity and Artifactory connections
[IMPROVED] External Integration Resilience: Improved reliability under unstable network conditions with configurable retry policies and per-instance token expiration for Develocity integrations
[IMPROVED] Internal Architecture: Enhanced robustness and extensibility for provenance data through a modularized publishing pipeline

2nd January 2026

[IMPROVED] Dependency Updates: Maintains security and performance by updating internal dependencies to their latest versions
[NEW] Prometheus Metrics: Simplified monitoring integration by exposing Prometheus metrics on the management port (9090) at /actuator/prometheus

12th December 2025

[NEW] VerificationSummary Policy: Evaluate artifacts based on Verification Summary Attestations (VSAs) with a new policy type
Enforce build gates and scan requirements by verifying that artifacts have passed specific verification processes
Prevents verifier impersonation with support for signature key binding

8th December 2025

[NEW] SLSA Verification Summary Attestations: Provides cryptographically verifiable evidence of policy compliance with a full implementation of SLSA v1.2 Verification Summary attestations
[NEW] Policy Loading Improvements: Improved reliability and error reporting for YAML policy loading with better handling of document separators and edge cases
[IMPROVED] Artifactory Integration: Improved traceability and reliability for Artifactory integrations with enhanced retry logic and improved URI generation
[IMPROVED] API Documentation: Easier integration with detailed documentation for fetching attestations by ID, including DSSE and in-toto payload formats
[IMPROVED] Quick Start Guide: Simplified onboarding with a restructured quick start guide and new k3d deployment options

21st November 2025

[NEW] Deterministic S3 Attestation Storage: Support centralized and deterministic storage by storing attestations in Amazon S3
[NEW] S3 Attestation Store Reader: Retrieve attestations directly from S3 for policy evaluation
[NEW] Fetch Attestation by ID: Retrieve specific attestations via a new API endpoint using their unique identifier
[NEW] AttestationsExist Policy: Ensure mandatory attestations are present with a new policy type

11th November 2025

[IMPROVED] Dependency Updates: Maintains system stability with dependency updates

17th October 2025