---
component: provenance-governor
version: "1.7"
slug: provenance-governor/attestation-verification-summary
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-verification-summary/"
title: "Verification Summary Predicate"
description: "Reference for the Verification Summary attestation predicate."
keywords:
  - "attestation"
  - "supply chain"
  - "API"
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# Verification Summary Predicate

<a id="verification-summary-predicate"></a>

Predicate Type URI: `[https://slsa.dev/verification_summary/v1](https://slsa.dev/verification_summary/v1)`

A [SLSA Verification Summary Attestation (VSA)](https://slsa.dev/spec/v1.2/verification_summary) that certifies the artifact was verified against a Develocity Provenance Governor Policy Scan™.

Fields:

*   `verifier` (object) - Identifies the entity performing the verification (Develocity Provenance Governor).
    
*   `timeVerified` (string) - Timestamp of verification (ISO 8601).
    
*   `resourceUri` (string) - URI of the artifact being verified (Package URL).
    
*   `policy` (object) - The policy used for verification.
    
    *   `uri` (string) - URI of the Policy Scan Definition.
        
    *   `digest` (object) - SHA-256 digest of the policy content.
        
    
*   `inputAttestations` (array of objects) - Attestations used as input for verification. Includes the [Policy Scan Predicate](https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-policy-scan-predicate/) when evaluation results are recorded.
    
*   `verificationResult` (string) - Result of the verification (`PASSED` or `FAILED`).
    

```json
{
  "verifier": {
    "id": "https://provenance-governor.example.com/packages/oci/acme-app/1.0.0/policy-scans/build-gate",
    "version": {
      "develocity-provenance-governor": "1.2.0"
    }
  },
  "timeVerified": "2023-10-01T12:00:00Z",
  "resourceUri": "pkg:maven/com.example/test-lib@1.0.0?checksum=sha256:725a3f94ec1af8830d0f708e7941c233d3cb981a6e943ca9aee5899cceb48383&repository_url=repo.example.com/libs-release",
  "policy": {
    "uri": "/policies/PolicyScanDefinition/build-gate",
    "digest": {
      "sha256": "725a3f94ec1af8830d0f708e7941c233d3cb981a6e943ca9aee5899cceb48383"
    }
  },
  "inputAttestations": [
    {
      "uri": "/packages/oci/acme-app/1.0.0/sha256:1f38c1af0cc5c48fc1d60cb3eb42837ec57ede8385db3018582f7c118cbff5a5/attestations/s3:local-s3/338ec7b1-4a61-5960-8983-b8eef80d9b2b",
      "digest": {
        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
      }
    }
  ],
  "verificationResult": "PASSED"
}
```

For OCI packages, the `resourceUri` uses the digest as the PURL version and the image tag as a qualifier, following the [OCI PURL specification](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#oci):

```json
{
  "resourceUri": "pkg:oci/acme-app@sha256:1f38c1af0cc5c48fc1d60cb3eb42837ec57ede8385db3018582f7c118cbff5a5?repository_url=registry.example.com/acme-team&tag=1.0.0"
}
```