BuildTool Policy

The BuildTool policy enforces constraints on the build tool used to produce an artifact. It evaluates against Build Tool attestations (predicate type https://gradle.com/attestation/build-tool/v1).

Spec Fields

buildTools

An array of build tool constraints. Each entry can specify:

toolType: The build tool name (e.g., gradle, maven).
toolVersions: A list of allowed (or disallowed) tool versions.
agentVersions: A list of allowed (or disallowed) Develocity agent versions.

matchingStrategy

must-match requires that the build tool matches one of the specified entries. none-match requires that the build tool does not match any entry.

Example

Require specific build tools and versions

kind: BuildTool
apiVersion: policy.gradle.com/v1
metadata:
  name: example-build-tool-policy
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Require specific build tools and versions for CI pipelines
  remediation: Use an approved build tool and version
  matchingStrategy: must-match
  buildTools:
    - toolType: gradle
      toolVersions:
        - "7.6"
        - "8.0"
      agentVersions:
        - "1.0"
        - "2.0"
    - toolType: maven
      toolVersions:
        - "3.8.6"
      agentVersions:
        - "1.0"