<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

<a id="component-eol-banner"></a>

You are viewing **Develocity Provenance Governor 1.5**. To view the latest available version of the docs, see [1.7](https://docs.gradle.com/develocity/provenance-governor/1.7/release-history/).

# Release History

<a id="current"></a>

## Current

<a id="1-5-0"></a>

### 1.5.0

19th February 2026

*   \[NEW\] **Dependency Insights Attestation**: Provides prioritized risk profiles for dependencies by aggregating security vulnerabilities with CVSS severity scores and license data
    
*   By passing the full vector string and type for vulnerabilities, we enable downstream policy engines to calculate the exact base, temporal, or environmental scores
    
*   \[NEW\] **Dynamic Attestation Insights**: Automatically enriches Policy Scan™ evaluations with live vulnerability and hygiene data resolved on-the-fly from static attestations
    
*   Ensures full traceability by automatically persisting insights to the source store and including them in the final Verification Summary
    
*   \[IMPROVED\] **Service Architecture**: Introduced a dedicated `DependencyInsightService` with a non-blocking "Two-Wave" parallel pipeline for efficient metadata retrieval
    

<a id="previous-versions"></a>

## Previous Versions

<a id="1-4-0"></a>

### 1.4.0

13th February 2026

*   \[NEW\] **PublishRepositories Attestation**: Track repository URLs and publication timestamps for artifacts to provide comprehensive provenance
    
*   \[NEW\] **PublishRepositories Policy**: Ensure artifacts are sourced from trusted repositories with automated policy enforcement
    
*   \[NEW\] **API Error Reference**: Standardizes API error responses using RFC 7807 and introduces a detailed reference guide for faster troubleshooting
    
*   \[IMPROVED\] **System Performance**: Improved concurrency and reduced resource overhead during large-scale attestation generation via optimized build event processing
    
*   \[IMPROVED\] **Observability & Monitoring**: Enhanced visibility with unified HTTP client metrics, allowing operators to track success rates and latencies for Develocity and Artifactory connections
    
*   \[IMPROVED\] **External Integration Resilience**: Improved reliability under unstable network conditions with configurable retry policies and per-instance token expiration for Develocity integrations
    
*   \[IMPROVED\] **Internal Architecture**: Enhanced robustness and extensibility for provenance data through a modularized publishing pipeline
    

<a id="1-3-1"></a>

### 1.3.1

2nd January 2026

*   \[IMPROVED\] **Dependency Updates**: Maintains security and performance by updating internal dependencies to their latest versions
    
*   \[NEW\] **Prometheus Metrics**: Simplified monitoring integration by exposing Prometheus metrics on the management port (9090) at `/actuator/prometheus`
    

<a id="1-3-0"></a>

### 1.3.0

12th December 2025

*   \[NEW\] **VerificationSummary Policy**: Evaluate artifacts based on Verification Summary Attestations (VSAs) with a new policy type
    
*   Enforce build gates and scan requirements by verifying that artifacts have passed specific verification processes
    
*   Prevents verifier impersonation with support for signature key binding
    

<a id="1-2-0"></a>

### 1.2.0

8th December 2025

*   \[NEW\] **SLSA Verification Summary Attestations**: Provides cryptographically verifiable evidence of policy compliance with a full implementation of SLSA v1.2 Verification Summary attestations
    
*   \[NEW\] **Policy Loading Improvements**: Improved reliability and error reporting for YAML policy loading with better handling of document separators and edge cases
    
*   \[IMPROVED\] **Artifactory Integration**: Improved traceability and reliability for Artifactory integrations with enhanced retry logic and improved URI generation
    
*   \[IMPROVED\] **API Documentation**: Easier integration with detailed documentation for fetching attestations by ID, including DSSE and in-toto payload formats
    
*   \[IMPROVED\] **Quickstart Guide**: Simplified onboarding with a restructured quickstart guide and new k3d deployment options
    

<a id="1-1-0"></a>

### 1.1.0

21st November 2025

*   \[NEW\] **Deterministic S3 Attestation Storage**: Support centralized and deterministic storage by storing attestations in Amazon S3
    
*   \[NEW\] **S3 Attestation Store Reader**: Retrieve attestations directly from S3 for policy evaluation
    
*   \[NEW\] **Fetch Attestation by ID**: Retrieve specific attestations via a new API endpoint using their unique identifier
    
*   \[NEW\] **AttestationsExist Policy**: Ensure mandatory attestations are present with a new policy type
    

<a id="1-0-1"></a>

### 1.0.1

11th November 2025

*   \[IMPROVED\] **Dependency Updates**: Maintains system stability with dependency updates
    

<a id="1-0-0"></a>

### 1.0.0

17th October 2025

*   Initial release of Develocity Provenance Governor