Policy Types

Develocity Provenance Governor supports the following policy types:

Policy Kind Description

BuildTool

Enforce specific build tool and version usage

JavaToolchains

Control Java toolchain (JDK version/vendor) requirements

ResolvedDependenciesRepositories

Restrict dependency resolution sources

PackageUrl

Allow or block specific dependencies

PublishRepositories

Enforce artifact promotion workflows

AttestationsExist

Verify required attestation types exist

TrustedPublicKeys

Validate attestation signatures

VerificationSummary

Evaluate VSA verification results

DependencyScoring

Score dependency health using SLO-based vulnerability and upgrade compliance