Policy Scan Predicate

Predicate Type URI: https://gradle.com/attestation/policyscan/v1

After every Policy Scan™ evaluation, Develocity Provenance Governor publishes a Policy Scan Predicate attestation that records per-policy evaluation results and a snapshot of every evaluated policy definition. The predicate is published before the Verification Summary and included in the VSA’s inputAttestations, making it immediately discoverable without fetching attestation content.

Fields:

sourcedFromUri (string) — URI identifying the Develocity Provenance Governor instance and Policy Scan definition that produced this predicate (e.g., https://provenance-governor.example.com/policies/PolicyScanDefinition/prod-release).
entries (array of objects) — Per-evaluation results. Each entry contains:
- policyUri (string) — URI of the policy that was evaluated (e.g., /policies/TrustedPublicKeys/trusted-public-keys).
- attestationUri (string, nullable) — URI of the attestation the policy was evaluated against. null for deferred or stateful evaluators where the verdict is aggregated across multiple attestations.
- status (string) — Evaluation outcome: "satisfied" or "unsatisfied". Results with status not-applicable are excluded.
- details (object) — Evaluator-supplied diagnostic data (e.g., the public key that was missing, the CVSS threshold that was exceeded).
evaluatedPolicies (object) — Map of policy URI to the full policy object as it existed at evaluation time. Includes both the PolicyScanDefinition that orchestrated the scan and the leaf policies it selected. Provides a durable, self-contained audit record since policy definitions may change over time.

entries and evaluatedPolicies are omitted from the JSON when empty.

Example

The following example shows a prod-release gate that evaluates two leaf policies:

TrustedPublicKeys — evaluated per-attestation. One attestation had an untrusted key (unsatisfied), another passed (satisfied, deferred verdict, no attestationUri).
VerificationSummary (upstream-gate) — a deferred evaluator requiring the artifact to have a PASSED VSA from an upstream verifier. No individual attestationUri because the verdict is aggregated across all VSAs seen during the scan.

{
  "sourcedFromUri": "https://provenance-governor.example.com/policies/PolicyScanDefinition/prod-release",
  "entries": [
    {
      "policyUri": "/policies/TrustedPublicKeys/trusted-public-keys",
      "attestationUri": "https://provenance-governor.example.com/attestations/uuid-1",
      "status": "unsatisfied",
      "details": { "reason": "Public key 'ABC' is not in the trusted set" }
    },
    {
      "policyUri": "/policies/TrustedPublicKeys/trusted-public-keys",
      "attestationUri": null,
      "status": "satisfied",
      "details": {}
    },
    {
      "policyUri": "/policies/VerificationSummary/upstream-gate",
      "attestationUri": null,
      "status": "satisfied",
      "details": {
        "reason": "Found 1 matching verification summaries",
        "matchingCount": 1,
        "satisfiedRequirements": 1,
        "totalRequirements": 1
      }
    }
  ],
  "evaluatedPolicies": {
    "/policies/PolicyScanDefinition/prod-release": {
      "apiVersion": "policy.gradle.com/v1",
      "kind": "PolicyScanDefinition",
      "metadata": { "name": "prod-release", "labels": {}, "annotations": {} },
      "spec": {
        "description": "Production release gate",
        "policySelector": { "matchLabels": { "env": "prod" } }
      }
    },
    "/policies/TrustedPublicKeys/trusted-public-keys": {
      "apiVersion": "policy.gradle.com/v1",
      "kind": "TrustedPublicKeys",
      "metadata": { "name": "trusted-public-keys", "labels": {}, "annotations": {} },
      "spec": {
        "resultsLabels": {},
        "description": "Artifact must be signed by a trusted key",
        "remediation": "Sign with a trusted key",
        "ignoreSigningFailures": false,
        "keys": {}
      }
    },
    "/policies/VerificationSummary/upstream-gate": {
      "apiVersion": "policy.gradle.com/v1",
      "kind": "VerificationSummary",
      "metadata": { "name": "upstream-gate", "labels": {}, "annotations": {} },
      "spec": {
        "resultsLabels": {},
        "description": "Upstream build gate must have passed",
        "remediation": "Ensure the upstream build gate has passed before running this gate",
        "matchingStrategy": "must-match",
        "summaryRequirements": [
          {
            "verifierId": "https://build.example.com",
            "verificationResult": "PASSED",
            "policyUri": "/policies/PolicyScanDefinition/build-gate",
            "signatureKeyIds": []
          }
        ]
      }
    }
  }
}

Navigating from the VSA

The Verification Summary links to this predicate via its inputAttestations array. Each entry contains the predicate’s store URI and a SHA-256 digest of the envelope payload, forming a tamper-evident chain between the verdict and the supporting evidence.

{
  "inputAttestations": [
    {
      "uri": "s3://bucket/evaluation-log/uuid-for-predicate",
      "digest": { "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }
    }
  ]
}