---
component: provenance-governor
version: "1.7"
slug: provenance-governor/attestations
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/attestations/"
title: "Attestations"
description: "Detailed reference for attestations published by Develocity Provenance Governor."
keywords:
  - "attestation"
  - "supply chain"
  - "API"
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# Attestations

<a id="attestation-reference"></a>

Attestations are signed, tamper-evident statements about how a software package was built. They capture details such as which build tool and version produced the artifact, which Java toolchain was used, what dependencies were resolved, and from which repositories those dependencies were fetched.

Develocity Provenance Governor generates attestations automatically from the build data already collected by Develocity. When you publish attestations for a package, the system retrieves the relevant Build Scan data, assembles the attestation predicates, optionally signs them with your configured key pair, and stores the results in your attestation backend (JFrog Artifactory or Amazon S3).

All attestations follow the [in-toto attestation](https://github.com/in-toto/attestation) specification, an industry-standard format for supply chain metadata that is interoperable with tools such as [JFrog Evidence](https://jfrog.com/evidence/).

See [Publishing Attestations](https://docs.gradle.com/develocity/provenance-governor/1.7/publishing-attestations/) for the required inputs, API usage, and GitHub Action examples.

The following predicate types are published when the source Build Scan contains the relevant data:

  
| Attestation | Predicate Type | Description |
| --- | --- | --- |
| Build Tool | https://gradle.com/attestation/build-tool/v1 | Attests to the build tool used to create the package, including version. |
| Java Toolchains | https://gradle.com/attestation/java-toolchains/v1 | Attests to the Java toolchains used during the build. |
| Resolved Dependencies Repositories | https://gradle.com/attestation/resolved-dependencies-repositories/v1 | Attests to repository sources for resolved dependencies. |
| Resolved Dependencies | https://gradle.com/attestation/resolved-dependencies/v1 | Attests to dependencies resolved during the build. |
| Publish Repositories | https://gradle.com/attestation/publish-repositories/v1 | Attests to the repositories where the package was published. |
| Verification Summary | https://slsa.dev/verification\_summary/v1 | Records that an artifact has been verified against a set of policies. |
| Policy Scan Predicate | https://gradle.com/attestation/policyscan/v1 | Records per-policy evaluation results and evaluated policy snapshots from a Policy Scan. |
| Dependency Insights | https://policies.gradle.com/dependency-insights/v1 | Provides enriched dependency analysis data. |

Each sub-page describes the predicate payload (the JSON object found in the `predicate` field of an in-toto Statement whose `predicateType` matches the given URI). The examples show only the predicate object (not the full in-toto Statement wrapper) for brevity.