JavaToolchains Policy
The JavaToolchains policy enforces constraints on the Java toolchains used during a build. It evaluates against Java Toolchains attestations (predicate type https://gradle.com/attestation/java-toolchains/v1).
Spec Fields
toolchains-
An array of toolchain constraints. Each entry can specify:
vendor-
The JDK vendor name (e.g.,
oracle,BellSoft Liberica). versions-
A list of allowed (or disallowed) JDK versions.
matchingStrategy-
must-matchrequires that all toolchains match one of the specified entries.none-matchrequires that no toolchain matches any entry.
Examples
A common pattern is to combine two policies: one using none-match to disallow a vendor, and another using must-match to require a specific approved vendor.
Disallow Oracle Java Toolchains
apiVersion: policy.gradle.com/v1
kind: JavaToolchains
metadata:
name: none-match-oracle-java-toolchain
labels:
policy.my-corp.com/gate: build
spec:
resultsLabels:
policy.my-corp.com/gate: build
description: Disallow Oracle Java Toolchains in builds
remediation: Update Gradle to use BellSoft Java toolchain
matchingStrategy: none-match
toolchains:
- vendor: oracleRequire BellSoft Java Toolchains
apiVersion: policy.gradle.com/v1
kind: JavaToolchains
metadata:
name: must-match-bellsoft-java-toolchain
labels:
policy.my-corp.com/gate: build
spec:
resultsLabels:
policy.my-corp.com/gate: build
description: Builds must use BellSoft Java toolchains
remediation: Update build to use BellSoft Java toolchain
matchingStrategy: must-match
toolchains:
- vendor: BellSoft Liberica
versions:
- 21.0.8
- 21.0.7
- 21.0.6
- 21.0.5