Policies

You can use policies to evaluate software packages against your organization’s compliance requirements. Policies are declarative YAML documents that define rules about what a software package must (or must not) contain, such as required build tool versions, approved dependency sources, or forbidden libraries.

Develocity Provenance Governor evaluates policies against the attestations it has previously generated for a package. This means policy decisions are grounded in verified build data rather than self-reported metadata, giving you confidence that evaluation results reflect what actually happened during the build.

  • Writing Policies — Author declarative YAML policies and organize them with labels.

  • Evaluating Policies — Run Policy Scan™ evaluations against packages during CI/CD.

  • Policy Types — Reference for all supported policy types and their configuration options.