You are viewing **Develocity Provenance Governor 1.6**. To view the latest available version of the docs, see [1.7](https://docs.gradle.com/develocity/provenance-governor/1.7/api-mcp-tools/). # MCP Tools * **Profile** — overview of a package’s release lines, gate topology, and trends * **Dependencies** — per-dependency vulnerability and upgrade compliance for a specific version * **Gate Detail** — forensic detail of a single gate evaluation with attestation proof ## Authentication MCP tools are served over HTTP and use the same authentication as all Develocity Provenance Governor resources: * **OIDC** — HTTP Bearer auth with OIDC access tokens * **Basic** — HTTP Basic auth with configured identities MCP tools do not initiate the OAuth 2.0 client credentials flow or any other token acquisition; callers must obtain and refresh access tokens externally and present them using the mechanisms above. See [Access Control](https://docs.gradle.com/develocity/provenance-governor/1.6/app-config-access-control/) for identity and permission configuration. ## Presigned View URLs Each tool response includes a `viewUrl` field — a presigned URI that deep-links to a graphical rendering of the same data. When [presigned access](https://docs.gradle.com/develocity/provenance-governor/1.6/app-config-presigned-access/) is not configured, the URL is returned unsigned (the path is still valid but requires standard authentication). ## get-purl-profile-discovery Returns release line summaries for a package, enabling an agent to understand the overall supply chain posture before drilling into a specific version range. ### Parameters | Parameter | Type | Description | | --- | --- | --- | | packageUrl | string | A versionless PURL (e.g., pkg:maven/org.springframework/spring-webmvc). | ### Response * `releaseLines` (array) — One entry per release line: * `lineLabel` (string) — Human-friendly label (e.g., `6.x`, `5.3.x`). * `latestVersion` (string) — Highest version in the line (including pre-releases). * `latestRelease` (string, nullable) — Highest non-pre-release version. * `gateStatus` (string, nullable) — `PASS` or `FAIL` based on the latest Policy Scan™ evaluation. * `vulnerabilityCount` (int) — Vulnerability count from the latest evaluation. * `viewUrl` (string, nullable) — Presigned URI to the package dashboard. ## get-purl-profile-focused Returns detailed release history, gate topology, and cross-version trends for a specific version range. ### Parameters | Parameter | Type | Description | | --- | --- | --- | | packageUrl | string | A versionless PURL. | | versionRange | string | A VERS range string (e.g., vers:maven/>= 6.0.0 | < 7.0.0). | ### Response * `publishHistory` (array) — Per-version details within the range: * `version` (string) — Version string. * `timePublished` (string, nullable) — ISO 8601 timestamp. * `gateStatus` (string, nullable) — `PASS` or `FAIL`. * `vulnerabilityCount` (int) — Vulnerability count. * `activePreRelease` (object, nullable) — Latest pre-release evaluation: * `latestPreReleaseVersion` (string) — Highest pre-release version within the range. * `gateStatus` (string, nullable) — `PASS` or `FAIL` for the latest pre-release version. * `gateTopology` (object) — DAG of supply chain gates showing gate names, upstream/downstream relationships, and per-gate verification results: * `gates` (array) — Gate nodes in the DAG: * `id` (string) — Stable identifier for the gate node. * `policyUri` (string) — URI of the policy or check implemented by this gate. * `status` (string) — Evaluation status for this gate (for example, `PASS` or `FAIL`). * `evaluatedAt` (string, nullable) — ISO 8601 timestamp of the last evaluation for this gate. * `edges` (array) — Directed edges indicating gate ordering: * `from` (string) — ID of the upstream gate. * `to` (string) — ID of the downstream gate. * `trends` (object) — Cross-version metrics: * `averageVulnerabilityCountPerRelease` (number). * `gatePassRatePercent` (number) — Percentage of the last 10 versions that passed all gates. * `medianDaysBetweenReleases` (int). * `latestVersion` (string) — Latest version in the range. * `latestDigest` (string) — Most recently attested digest for that version (format: `sha256:`). * `viewUrl` (string, nullable) — Presigned URI to the versioned artifact dashboard. ## get-purl-dependencies Returns per-dependency vulnerability and upgrade SLO compliance data for a specific package version and digest. Dependencies with no vulnerabilities and no upgrade issues are omitted to reduce token cost. ### Parameters | Parameter | Type | Description | | --- | --- | --- | | packageUrl | string | A versionless PURL. | | version | string | Package version. | | digest | string | Digest of the package artifact (format: sha256:). | ### Response * `summary` (object) — Aggregate metrics: * `score`, `vulnerabilityScore`, `upgradeScore` (int) — 0–100 scores. * `achievedTier` (string, nullable) — Tier name (e.g., `Gold`). * `vulnerabilityCountBySeverity` (object) — Counts keyed by `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`. * `licenseDistribution` (object) — License string to count. * `upgradesAvailable` (int) — Count of dependencies with available upgrades. * `dependencies` (array) — Per-dependency entries: * `purl` (string) — Dependency PURL. * `licenses` (array of strings) — Detected licenses. * `versions` (object, nullable) — Current version and available upgrades (patch, minor, major). * `vulnerabilityDeductions` (array) — Lightweight projections: `vulnerabilityId`, `severity`, `recommendedUpgrade`, `daysOverSlo`. * `upgradeDeductions` (array) — Lightweight projections: `strategy`, `recommendedUpgrade`, `daysOverSlo`. * `vulnerabilities` (object) — Deduplicated vulnerability details keyed by ID, with full CVSS severity data. * `note` (string, nullable) — Set when dependency insights data is unavailable. * `viewUrl` (string, nullable) — Presigned URI to the dependency explorer. ## get-purl-gate-detail Returns the forensic detail of a single gate evaluation, including per-policy entries, evaluated policy snapshots, and attestation proof URIs. ### Parameters | Parameter | Type | Description | | --- | --- | --- | | packageUrl | string | A versionless PURL. | | version | string | Package version. | | digest | string | Digest of the package artifact (format: sha256:). | | gate | string | PolicyScanDefinition name (e.g., Build, DeployEksDevelopment). | ### Response * `gate` (string) — Gate name. * `verificationResult` (string) — `PASSED` or `FAILED`. * `timeVerified` (string) — ISO 8601 timestamp of evaluation. * `verifier` (object) — Verifier identity (URI and version map). * `evaluations` (array) — Per-policy evaluation entries: * `policyUri` (string) — URI of the evaluated policy. * `attestationUri` (string, nullable) — URI of the evaluated attestation. * `status` (string) — `satisfied`, `unsatisfied`, or `not-applicable`. * `details` (object) — Evaluator-specific diagnostic data. * `policyKind` (string) — Policy kind (e.g., `AttestationsExist`, `TrustedPublicKeys`). * `policyDescription` (string) — Human-readable policy description. * `upstreamVerification` (object, nullable) — For `VerificationSummary` policies: upstream gate linkage with verifier ID, required result, and policy URI. * `slsaLevels` (array of strings, nullable) — Verified SLSA levels for this gate evaluation. * `evaluatedPolicies` (object) — Map of policy URI to full policy definition snapshot at evaluation time. * `inputAttestations` (array) — Input attestation descriptors (URI and digest). * `attestationProof` (object) — Proof chain: * `pspProof` (array) — Policy Scan Predicate proof entries as `ResourceDescriptor` objects (each containing the PSP resource URI and its SHA-256 digest). * `vsaStoreUri` (string, nullable) — Verification Summary store URI. * `viewUrl` (string, nullable) — Presigned URI to the gate detail view. ## Worked Example: AI Agent Workflow A typical agent session uses the tools in sequence: 1. **Discover release lines** — the agent calls `get-purl-profile-discovery` with `pkg:maven/org.springframework/spring-webmvc`. The response shows three release lines (`6.x`, `5.3.x`, `5.2.x`) with the `6.x` line showing `FAIL` gate status. 2. **Focus on 6.x** — the agent calls `get-purl-profile-focused` with VERS range `vers:maven/>= 6.0.0 | < 7.0.0`. The response shows that version `6.2.9` is the latest, its `DeployEksDevelopment` gate is failing, and the gate topology reveals an upstream `Build` gate dependency. 3. **Inspect dependencies** — the agent calls `get-purl-dependencies` with the version and digest from the focused response. The response reveals 3 vulnerability deductions and identifies `snakeyaml` as carrying a CRITICAL CVE that is 45 days over SLO. 4. **Investigate the failing gate** — the agent calls `get-purl-gate-detail` with `gate` set to `DeployEksDevelopment`. The response shows that the gate failed because the upstream `Build` gate has `verificationResult: FAILED`. The agent directs the developer to investigate the Build gate.