<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

<a id="component-eol-banner"></a>

You are viewing **Develocity Provenance Governor 1.6**. To view the latest available version of the docs, see [1.7](https://docs.gradle.com/develocity/provenance-governor/1.7/policy-type-java-toolchains/).

# JavaToolchains Policy

<a id="preamble"></a>

The `JavaToolchains` policy enforces constraints on the Java toolchains used during a build. It evaluates against [Java Toolchains attestations](https://docs.gradle.com/develocity/provenance-governor/1.6/attestation-java-toolchains/) (predicate type `[https://gradle.com/attestation/java-toolchains/v1](https://gradle.com/attestation/java-toolchains/v1)`).

<a id="spec-fields"></a>

## Spec Fields

**toolchains** — An array of toolchain constraints. Each entry can specify:

**vendor** — The JDK vendor name (e.g., `oracle`, `BellSoft Liberica`).

**versions** — A list of allowed (or disallowed) JDK versions.

**vendor** — The JDK vendor name (e.g., `oracle`, `BellSoft Liberica`).

**versions** — A list of allowed (or disallowed) JDK versions.

**matchingStrategy** — `must-match` requires that all toolchains match one of the specified entries. `none-match` requires that no toolchain matches any entry.

<a id="examples"></a>

## Examples

A common pattern is to combine two policies: one using `none-match` to disallow a vendor, and another using `must-match` to require a specific approved vendor.

<a id="disallow-oracle-java-toolchains"></a>

### Disallow Oracle Java Toolchains

```yaml
apiVersion: policy.gradle.com/v1
kind: JavaToolchains
metadata:
  name: none-match-oracle-java-toolchain
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Disallow Oracle Java Toolchains in builds
  remediation: Update Gradle to use BellSoft Java toolchain
  matchingStrategy: none-match
  toolchains:
    - vendor: oracle
```

<a id="require-bellsoft-java-toolchains"></a>

### Require BellSoft Java Toolchains

```yaml
apiVersion: policy.gradle.com/v1
kind: JavaToolchains
metadata:
  name: must-match-bellsoft-java-toolchain
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Builds must use BellSoft Java toolchains
  remediation: Update build to use BellSoft Java toolchain
  matchingStrategy: must-match
  toolchains:
    - vendor: BellSoft Liberica
      versions:
        - 21.0.8
        - 21.0.7
        - 21.0.6
        - 21.0.5
```