Policy Types

Develocity Provenance Governor supports the following policy types:

Policy Kind Description

Policy Kind	Description
`BuildTool`	Enforce specific build tool and version usage
`JavaToolchains`	Control Java toolchain (JDK version/vendor) requirements
`ResolvedDependenciesRepositories`	Restrict dependency resolution sources
`PackageUrl`	Allow or block specific dependencies
`PublishRepositories`	Enforce artifact promotion workflows
`AttestationsExist`	Verify required attestation types exist
`TrustedPublicKeys`	Validate attestation signatures
`VerificationSummary`	Evaluate VSA verification results

BuildTool

Enforce specific build tool and version usage

JavaToolchains

Control Java toolchain (JDK version/vendor) requirements

ResolvedDependenciesRepositories

Restrict dependency resolution sources

PackageUrl

Allow or block specific dependencies

PublishRepositories

Enforce artifact promotion workflows

AttestationsExist

Verify required attestation types exist

TrustedPublicKeys

Validate attestation signatures

VerificationSummary

Evaluate VSA verification results

BuildTool — Enforce constraints on the build tool used.
JavaToolchains — Enforce constraints on Java toolchains.
ResolvedDependenciesRepositories — Enforce constraints on dependency resolution repositories.
PackageUrl — Enforce constraints on resolved package URLs.
PublishRepositories — Enforce constraints on publish repositories.
AttestationsExist — Require specific attestations to be present.
TrustedPublicKeys — Enforce attestation signature verification.
VerificationSummary — Enforce constraints on verification summary results.