Release History

[IMPROVED] Dependency Updates: Updated internal dependencies to latest versions.

[NEW] Prometheus Metrics: Metrics are now exposed on /actuator/prometheus on the management port (9090).

[NEW] VerificationSummary Policy: New policy type for evaluating artifacts based on Verification Summary Attestations (VSAs). Enables enforcement of "build gates" and "scan requirements" by verifying that artifacts have passed specific verification processes. Supports signature key binding to prevent verifier impersonation.

[NEW] SLSA Verification Summary Attestations: Full implementation of SLSA v1.2 Verification Summary attestations, automatically generated from policy scan results to provide cryptographically verifiable evidence of policy compliance.

[NEW] Policy Loading Improvements: Enhanced YAML policy loader with better handling of document separators, edge cases, and improved error reporting for malformed policy files.

[IMPROVED] Artifactory Integration: Enhanced retry logic for attestation retrieval with configurable retry specifications and improved attestation URI generation for better traceability.

[IMPROVED] API Documentation: Expanded documentation for fetching attestations by ID with detailed explanations of DSSE envelope structure and in-toto Statement payload format.

[IMPROVED] Quick Start Guide: Restructured quick start documentation with step-by-step instructions, clearer prerequisites, and alternative deployment approaches using k3d image import.

[NEW] Deterministic S3 Attestation Storage: Support for storing attestations in Amazon S3.

[NEW] S3 Attestation Store Reader: Support for retrieving attestations from S3 for policy evaluation.

[NEW] Fetch Attestation by ID: New API endpoint to retrieve specific attestations by their unique identifier.

[NEW] AttestationsExist Policy: New policy type to ensure specific attestations are present.

[NEW] Dependency updates

Initial release of Develocity Provenance Governor.