About Develocity Provenance Governor

Develocity Provenance Governor is an enterprise solution designed to help automate governance, compliance, and risk for the software supply chain. It enables organizations to define, manage, and enforce provenance and attestation policies for software packages, ensuring that only trusted and compliant artifacts are promoted and consumed across environments.

How It Works

Leveraging the build data in Develocity, Develocity Provenance Governor collects, verifies, and evaluates provenance data and attestations. The product offers detailed provenance attestations, declarative domain-aware policies, and automated evaluation, empowering teams to:

  • Enforce organizational and regulatory requirements for software provenance

  • Prevent the use of untrusted or non-compliant artifacts

  • Gain visibility into the origin and integrity of software components

  • Streamline compliance reporting and incident response

Key Concepts

Below are the terms and concepts you need to understand to use Develocity Provenance Governor:

  • Attestations are signed statements about the origin (or provenance) of a software package, including details about its build process, dependencies, and other metadata. Attestations can be used to verify the integrity and authenticity of software packages.

  • Policies define rules and conditions that software packages must adhere to. You can use policies to prevent non-compliant or untrusted packages from being released, deployed, or used.

  • Policy Scan™ evaluations evaluate packages against defined policies and report on the package’s level of compliance.

Components

The following diagram illustrates the main components of Develocity Provenance Governor and how they interact with each other and with external systems.

This diagram illustrates the main components of Develocity Provenance Governor and how they interact with each other and with external systems.

Flow

Below is a typical flow for using Develocity Provenance Governor in a software supply chain:

  1. A build runs on a Continuous Integration (CI) system and:

    1. Produces a software package (for example, a JAR file).

    2. Publishes a Build Scan to Develocity (Build Scans capture detailed information about the build process).

    3. Uploads the software package to a package repository (for example, JFrog Artifactory).

    4. Calls Develocity Provenance Governor to generate and publish attestations for the software package.

  2. Develocity Provenance Governor generates attestations based on Build Scan data from Develocity that was collected while building the software package.

    1. After an attestation is generated, Develocity Provenance Governor signs the attestation using a private key.

    2. The signed attestation is published to an attestation store. Develocity Provenance Governor supports publishing attestations to JFrog Artifactory.

  3. A later CI or Continuous Deployment (CD) job calls Develocity Provenance Governor to perform a Policy Scan on the software package.

    1. Develocity Provenance Governor performs a Policy Scan to evaluate policies against the software package to determine if it is compliant with organization rules and requirements. Develocity Provenance Governor uses the previously published attestations to evaluate policies.

    2. The result of the Policy Scan is returned to the calling job.

    3. Based on the results of the Policy Scan, the job can decide to proceed or fail.

Once published, attestations generated by Develocity Provenance Governor can also be used with JFrog Evidence features and functionality.