AttestationsExist Policy
The AttestationsExist policy requires that specific attestations are present for an artifact. Unlike other policy types, this policy does not evaluate attestation content — it only checks that attestations with the specified predicate types exist.
Spec Fields
expectedPredicates-
A list of predicate type URIs that must be present. Supported predicate types:
-
https://gradle.com/attestation/build-tool/v1— see Build Tool Predicate -
https://gradle.com/attestation/java-toolchains/v1— see Java Toolchains Predicate -
https://gradle.com/attestation/resolved-dependencies-repositories/v1— see Resolved Dependencies Repositories Predicate -
https://gradle.com/attestation/resolved-dependencies/v1— see Resolved Dependencies Predicate -
https://gradle.com/attestation/publish-repositories/v1— see Publish Repositories Predicate -
https://slsa.dev/verification_summary/v1— see Verification Summary Predicate
-
Examples
Require Build Tool Attestation
apiVersion: policy.gradle.com/v1
kind: AttestationsExist
metadata:
name: require-build-tool-attestation
labels:
policy.my-corp.com/gate: build
spec:
resultsLabels:
policy.my-corp.com/gate: build
description: Require Build Tool attestation to be present
remediation: Ensure build publishes a Build Tool attestation
expectedPredicates:
- https://gradle.com/attestation/build-tool/v1Require Verification Summary Attestation (VSA)
apiVersion: policy.gradle.com/v1
kind: AttestationsExist
metadata:
name: require-verification-summary-attestation
labels:
policy.my-corp.com/gate: production
spec:
resultsLabels:
policy.my-corp.com/gate: production
description: Require Verification Summary attestation (VSA) to be present
remediation: Ensure package has passed policy scan which generates a VSA
expectedPredicates:
- https://slsa.dev/verification_summary/v1|
Verification Summary Attestations (VSAs) are generated automatically when Policy Scan™ evaluations execute. Requiring a VSA ensures that packages have been evaluated against policies before deployment. |