Attestations
When you publish attestations, Develocity Provenance Governor stores them in Artifactory’s evidence store. All attestations are in-toto attestations.
The following predicate types are published, when the source Build Scan contains the relevant data:
| Attestation | Predicate Type | Description |
|---|---|---|
Attests to the build tool used to create the package, including version. |
||
Attests to the Java toolchains used during the build. |
||
|
Attests to repository sources for resolved dependencies. |
|
Attests to dependencies resolved during the build. |
||
Attests to the repositories where the package was published. |
||
Records that an artifact has been verified against a set of policies. |
||
Provides enriched dependency analysis data. |
Each sub-page describes the predicate payload (the JSON object found in the predicate field of an in-toto Statement whose predicateType matches the given URI).
The examples show only the predicate object (not the full in-toto Statement wrapper) for brevity.