MCP Tools

  • Profile — overview of a package’s release lines, gate topology, and trends

  • Dependencies — per-dependency vulnerability and upgrade compliance for a specific version

  • Gate Detail — forensic detail of a single gate evaluation with attestation proof

Authentication

MCP tools are served over HTTP and use the same authentication as all Develocity Provenance Governor resources:

  • OIDC — HTTP Bearer auth with OIDC access tokens

  • Basic — HTTP Basic auth with configured identities

MCP tools do not initiate the OAuth 2.0 client credentials flow or any other token acquisition; callers must obtain and refresh access tokens externally and present them using the mechanisms above. See Access Control for identity and permission configuration.

Presigned View URLs

Each tool response includes a viewUrl field — a presigned URI that deep-links to a graphical rendering of the same data. When presigned access is not configured, the URL is returned unsigned (the path is still valid but requires standard authentication).

get-purl-profile-discovery

Returns release line summaries for a package, enabling an agent to understand the overall supply chain posture before drilling into a specific version range.

Parameters

Parameter Type Description

packageUrl

string

A versionless PURL (e.g., pkg:maven/org.springframework/spring-webmvc).

Response

  • releaseLines (array) — One entry per release line:

    • lineLabel (string) — Human-friendly label (e.g., 6.x, 5.3.x).

    • latestVersion (string) — Highest version in the line (including pre-releases).

    • latestRelease (string, nullable) — Highest non-pre-release version.

    • gateStatus (string, nullable) — PASS or FAIL based on the latest Policy Scan™ evaluation.

    • vulnerabilityCount (int) — Vulnerability count from the latest evaluation.

  • viewUrl (string, nullable) — Presigned URI to the package dashboard.

get-purl-profile-focused

Returns detailed release history, gate topology, and cross-version trends for a specific version range.

Parameters

Parameter Type Description

packageUrl

string

A versionless PURL.

versionRange

string

A VERS range string (e.g., vers:maven/>= 6.0.0 | < 7.0.0).

Response

  • publishHistory (array) — Per-version details within the range:

    • version (string) — Version string.

    • timePublished (string, nullable) — ISO 8601 timestamp.

    • gateStatus (string, nullable) — PASS or FAIL.

    • vulnerabilityCount (int) — Vulnerability count.

  • activePreRelease (object, nullable) — Latest pre-release evaluation:

    • latestPreReleaseVersion (string) — Highest pre-release version within the range.

    • gateStatus (string, nullable) — PASS or FAIL for the latest pre-release version.

  • gateTopology (object) — DAG of supply chain gates showing gate names, upstream/downstream relationships, and per-gate verification results:

    • gates (array) — Gate nodes in the DAG:

      • id (string) — Stable identifier for the gate node.

      • policyUri (string) — URI of the policy or check implemented by this gate.

      • status (string) — Evaluation status for this gate (for example, PASS or FAIL).

      • evaluatedAt (string, nullable) — ISO 8601 timestamp of the last evaluation for this gate.

    • edges (array) — Directed edges indicating gate ordering:

      • from (string) — ID of the upstream gate.

      • to (string) — ID of the downstream gate.

  • trends (object) — Cross-version metrics:

    • averageVulnerabilityCountPerRelease (number).

    • gatePassRatePercent (number) — Percentage of the last 10 versions that passed all gates.

    • medianDaysBetweenReleases (int).

  • latestVersion (string) — Latest version in the range.

  • latestDigest (string) — Most recently attested digest for that version (format: sha256:<hex>).

  • viewUrl (string, nullable) — Presigned URI to the versioned artifact dashboard.

get-purl-dependencies

Returns per-dependency vulnerability and upgrade SLO compliance data for a specific package version and digest. Dependencies with no vulnerabilities and no upgrade issues are omitted to reduce token cost.

Parameters

Parameter Type Description

packageUrl

string

A versionless PURL.

version

string

Package version.

digest

string

Digest of the package artifact (format: sha256:<hex>).

Response

  • summary (object) — Aggregate metrics:

    • score, vulnerabilityScore, upgradeScore (int) — 0–100 scores.

    • achievedTier (string, nullable) — Tier name (e.g., Gold).

    • vulnerabilityCountBySeverity (object) — Counts keyed by CRITICAL, HIGH, MEDIUM, LOW.

    • licenseDistribution (object) — License string to count.

    • upgradesAvailable (int) — Count of dependencies with available upgrades.

  • dependencies (array) — Per-dependency entries:

    • purl (string) — Dependency PURL.

    • licenses (array of strings) — Detected licenses.

    • versions (object, nullable) — Current version and available upgrades (patch, minor, major).

    • vulnerabilityDeductions (array) — Lightweight projections: vulnerabilityId, severity, recommendedUpgrade, daysOverSlo.

    • upgradeDeductions (array) — Lightweight projections: strategy, recommendedUpgrade, daysOverSlo.

  • vulnerabilities (object) — Deduplicated vulnerability details keyed by ID, with full CVSS severity data.

  • note (string, nullable) — Set when dependency insights data is unavailable.

  • viewUrl (string, nullable) — Presigned URI to the dependency explorer.

get-purl-gate-detail

Returns the forensic detail of a single gate evaluation, including per-policy entries, evaluated policy snapshots, and attestation proof URIs.

Parameters

Parameter Type Description

packageUrl

string

A versionless PURL.

version

string

Package version.

digest

string

Digest of the package artifact (format: sha256:<hex>).

gate

string

PolicyScanDefinition name (e.g., Build, DeployEksDevelopment).

Response

  • gate (string) — Gate name.

  • verificationResult (string) — PASSED or FAILED.

  • timeVerified (string) — ISO 8601 timestamp of evaluation.

  • verifier (object) — Verifier identity (URI and version map).

  • evaluations (array) — Per-policy evaluation entries:

    • policyUri (string) — URI of the evaluated policy.

    • attestationUri (string, nullable) — URI of the evaluated attestation.

    • status (string) — satisfied, unsatisfied, or not-applicable.

    • details (object) — Evaluator-specific diagnostic data.

    • policyKind (string) — Policy kind (e.g., AttestationsExist, TrustedPublicKeys).

    • policyDescription (string) — Human-readable policy description.

    • upstreamVerification (object, nullable) — For VerificationSummary policies: upstream gate linkage with verifier ID, required result, and policy URI.

  • slsaLevels (array of strings, nullable) — Verified SLSA levels for this gate evaluation.

  • evaluatedPolicies (object) — Map of policy URI to full policy definition snapshot at evaluation time.

  • inputAttestations (array) — Input attestation descriptors (URI and digest).

  • attestationProof (object) — Proof chain:

    • pspProof (array) — Policy Scan Predicate proof entries as ResourceDescriptor objects (each containing the PSP resource URI and its SHA-256 digest).

    • vsaStoreUri (string, nullable) — Verification Summary store URI.

  • viewUrl (string, nullable) — Presigned URI to the gate detail view.

Worked Example: AI Agent Workflow

A typical agent session uses the tools in sequence:

  1. Discover release lines — the agent calls get-purl-profile-discovery with pkg:maven/org.springframework/spring-webmvc. The response shows three release lines (6.x, 5.3.x, 5.2.x) with the 6.x line showing FAIL gate status.

  2. Focus on 6.x — the agent calls get-purl-profile-focused with VERS range vers:maven/>= 6.0.0 | < 7.0.0. The response shows that version 6.2.9 is the latest, its DeployEksDevelopment gate is failing, and the gate topology reveals an upstream Build gate dependency.

  3. Inspect dependencies — the agent calls get-purl-dependencies with the version and digest from the focused response. The response reveals 3 vulnerability deductions and identifies snakeyaml as carrying a CRITICAL CVE that is 45 days over SLO.

  4. Investigate the failing gate — the agent calls get-purl-gate-detail with gate set to DeployEksDevelopment. The response shows that the gate failed because the upstream Build gate has verificationResult: FAILED. The agent directs the developer to investigate the Build gate.