Attestations
Attestations are signed, tamper-evident statements about how a software package was built. They capture details such as which build tool and version produced the artifact, which Java toolchain was used, what dependencies were resolved, and from which repositories those dependencies were fetched.
Develocity Provenance Governor generates attestations automatically from the build data already collected by Develocity. When you publish attestations for a package, the system retrieves the relevant Build Scan data, assembles the attestation predicates, optionally signs them with your configured key pair, and stores the results in your attestation backend (JFrog Artifactory or Amazon S3).
All attestations follow the in-toto attestation specification, an industry-standard format for supply chain metadata that is interoperable with tools such as JFrog Evidence.
See Publishing Attestations for the required inputs, API usage, and GitHub Action examples.
The following predicate types are published when the source Build Scan contains the relevant data:
| Attestation | Predicate Type | Description |
|---|---|---|
Attests to the build tool used to create the package, including version. |
||
Attests to the Java toolchains used during the build. |
||
|
Attests to repository sources for resolved dependencies. |
|
Attests to dependencies resolved during the build. |
||
Attests to the repositories where the package was published. |
||
Records that an artifact has been verified against a set of policies. |
||
Records per-policy evaluation results and evaluated policy snapshots from a Policy Scan. |
||
Provides enriched dependency analysis data. |
Each sub-page describes the predicate payload (the JSON object found in the predicate field of an in-toto Statement whose predicateType matches the given URI).
The examples show only the predicate object (not the full in-toto Statement wrapper) for brevity.