Release History

[NEW] Dependency Insights Attestation: Provides prioritized risk profiles for dependencies by aggregating security vulnerabilities with CVSS severity scores and license data

By passing the full vector string and type for vulnerabilities, we enable downstream policy engines to calculate the exact base, temporal, or environmental scores

[NEW] Dynamic Attestation Insights: Automatically enriches policy scans with live vulnerability and hygiene data resolved on-the-fly from static attestations

Ensures full traceability by automatically persisting insights to the source store and including them in the final Verification Summary

[IMPROVED] Service Architecture: Introduced a dedicated DependencyInsightService with a non-blocking "Two-Wave" parallel pipeline for efficient metadata retrieval

[NEW] PublishRepositories Attestation: Track repository URLs and publication timestamps for artifacts to provide comprehensive provenance

[NEW] PublishRepositories Policy: Ensure artifacts are sourced from trusted repositories with automated policy enforcement

[NEW] API Error Reference: Standardizes API error responses using RFC 7807 and introduces a detailed reference guide for faster troubleshooting

[IMPROVED] System Performance: Improved concurrency and reduced resource overhead during large-scale attestation generation via optimized build event processing

[IMPROVED] Observability & Monitoring: Enhanced visibility with unified HTTP client metrics, allowing operators to track success rates and latencies for Develocity and Artifactory connections

[IMPROVED] External Integration Resilience: Improved reliability under unstable network conditions with configurable retry policies and per-instance token expiration for Develocity integrations

[IMPROVED] Internal Architecture: Enhanced robustness and extensibility for provenance data through a modularized publishing pipeline

[IMPROVED] Dependency Updates: Maintains security and performance by updating internal dependencies to their latest versions

[NEW] Prometheus Metrics: Simplified monitoring integration by exposing Prometheus metrics on the management port (9090) at /actuator/prometheus

[NEW] VerificationSummary Policy: Evaluate artifacts based on Verification Summary Attestations (VSAs) with a new policy type

Enforce build gates and scan requirements by verifying that artifacts have passed specific verification processes

Prevents verifier impersonation with support for signature key binding

[NEW] SLSA Verification Summary Attestations: Provides cryptographically verifiable evidence of policy compliance with a full implementation of SLSA v1.2 Verification Summary attestations

[NEW] Policy Loading Improvements: Improved reliability and error reporting for YAML policy loading with better handling of document separators and edge cases

[IMPROVED] Artifactory Integration: Improved traceability and reliability for Artifactory integrations with enhanced retry logic and improved URI generation

[IMPROVED] API Documentation: Easier integration with detailed documentation for fetching attestations by ID, including DSSE and in-toto payload formats

[IMPROVED] Quick Start Guide: Simplified onboarding with a restructured quick start guide and new k3d deployment options

[NEW] Deterministic S3 Attestation Storage: Support centralized and deterministic storage by storing attestations in Amazon S3

[NEW] S3 Attestation Store Reader: Retrieve attestations directly from S3 for policy evaluation

[NEW] Fetch Attestation by ID: Retrieve specific attestations via a new API endpoint using their unique identifier

[NEW] AttestationsExist Policy: Ensure mandatory attestations are present with a new policy type

[IMPROVED] Dependency Updates: Maintains system stability with dependency updates

Initial release of Develocity Provenance Governor