---
component: provenance-governor
version: "1.7"
slug: provenance-governor/attestation-policy-scan-predicate
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-policy-scan-predicate/"
title: "Policy Scan Predicate"
description: "Reference for the Policy Scan Predicate attestation published by Develocity Provenance Governor."
keywords:
- "attestation"
- "API"
status: current
---
# Policy Scan Predicate
Predicate Type URI: `[https://gradle.com/attestation/policyscan/v1](https://gradle.com/attestation/policyscan/v1)`
After every Policy Scan™ evaluation, Develocity Provenance Governor publishes a **Policy Scan Predicate** attestation that records per-policy evaluation results and a snapshot of every evaluated policy definition. The predicate is published before the [Verification Summary](https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-verification-summary/) and included in the VSA’s `inputAttestations`, making it immediately discoverable without fetching attestation content.
Fields:
* `sourcedFromUri` (string) — URI identifying the Develocity Provenance Governor instance and Policy Scan definition that produced this predicate (e.g., `[https://provenance-governor.example.com/policies/PolicyScanDefinition/prod-release](https://provenance-governor.example.com/policies/PolicyScanDefinition/prod-release)`).
* `entries` (array of objects) — Per-evaluation results. Each entry contains:
* `policyUri` (string) — URI of the policy that was evaluated (e.g., `/policies/TrustedPublicKeys/trusted-public-keys`).
* `attestationUri` (string, nullable) — URI of the attestation the policy was evaluated against. `null` for deferred or stateful evaluators where the verdict is aggregated across multiple attestations.
* `status` (string) — Evaluation outcome: `"satisfied"` or `"unsatisfied"`. Results with status `not-applicable` are excluded.
* `details` (object) — Evaluator-supplied diagnostic data (e.g., the public key that was missing, the CVSS threshold that was exceeded).
* `evaluatedPolicies` (object) — Map of policy URI to the full policy object as it existed at evaluation time. Includes both the `PolicyScanDefinition` that orchestrated the scan and the leaf policies it selected. Provides a durable, self-contained audit record since policy definitions may change over time.
`entries` and `evaluatedPolicies` are omitted from the JSON when empty.
## Example
The following example shows a `prod-release` gate that evaluates two leaf policies:
* **TrustedPublicKeys** — evaluated per-attestation. One attestation had an untrusted key (unsatisfied), another passed (satisfied, deferred verdict, no `attestationUri`).
* **VerificationSummary** (`upstream-gate`) — a deferred evaluator requiring the artifact to have a `PASSED` VSA from an upstream verifier. No individual `attestationUri` because the verdict is aggregated across all VSAs seen during the scan.
```json
{
"sourcedFromUri": "https://provenance-governor.example.com/policies/PolicyScanDefinition/prod-release",
"entries": [
{
"policyUri": "/policies/TrustedPublicKeys/trusted-public-keys",
"attestationUri": "https://provenance-governor.example.com/attestations/uuid-1",
"status": "unsatisfied",
"details": { "reason": "Public key 'ABC' is not in the trusted set" }
},
{
"policyUri": "/policies/TrustedPublicKeys/trusted-public-keys",
"attestationUri": null,
"status": "satisfied",
"details": {}
},
{
"policyUri": "/policies/VerificationSummary/upstream-gate",
"attestationUri": null,
"status": "satisfied",
"details": {
"reason": "Found 1 matching verification summaries",
"matchingCount": 1,
"satisfiedRequirements": 1,
"totalRequirements": 1
}
}
],
"evaluatedPolicies": {
"/policies/PolicyScanDefinition/prod-release": {
"apiVersion": "policy.gradle.com/v1",
"kind": "PolicyScanDefinition",
"metadata": { "name": "prod-release", "labels": {}, "annotations": {} },
"spec": {
"description": "Production release gate",
"policySelector": { "matchLabels": { "env": "prod" } }
}
},
"/policies/TrustedPublicKeys/trusted-public-keys": {
"apiVersion": "policy.gradle.com/v1",
"kind": "TrustedPublicKeys",
"metadata": { "name": "trusted-public-keys", "labels": {}, "annotations": {} },
"spec": {
"resultsLabels": {},
"description": "Artifact must be signed by a trusted key",
"remediation": "Sign with a trusted key",
"ignoreSigningFailures": false,
"keys": {}
}
},
"/policies/VerificationSummary/upstream-gate": {
"apiVersion": "policy.gradle.com/v1",
"kind": "VerificationSummary",
"metadata": { "name": "upstream-gate", "labels": {}, "annotations": {} },
"spec": {
"resultsLabels": {},
"description": "Upstream build gate must have passed",
"remediation": "Ensure the upstream build gate has passed before running this gate",
"matchingStrategy": "must-match",
"summaryRequirements": [
{
"verifierId": "https://build.example.com",
"verificationResult": "PASSED",
"policyUri": "/policies/PolicyScanDefinition/build-gate",
"signatureKeyIds": []
}
]
}
}
}
}
```
## Navigating from the VSA
The [Verification Summary](https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-verification-summary/) links to this predicate via its `inputAttestations` array. Each entry contains the predicate’s store URI and a SHA-256 digest of the envelope payload, forming a tamper-evident chain between the verdict and the supporting evidence.
```json
{
"inputAttestations": [
{
"uri": "s3://bucket/evaluation-log/uuid-for-predicate",
"digest": { "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" }
}
]
}
```