---
component: provenance-governor
version: "1.7"
slug: provenance-governor/policy-type-java-toolchains
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/policy-type-java-toolchains/"
title: "JavaToolchains Policy"
description: "Reference for the JavaToolchains policy type."
keywords:
  - "attestation"
  - "supply chain"
  - "configuration"
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# JavaToolchains Policy

<a id="preamble"></a>

The `JavaToolchains` policy enforces constraints on the Java toolchains used during a build. It evaluates against [Java Toolchains attestations](https://docs.gradle.com/develocity/provenance-governor/1.7/attestation-java-toolchains/) (predicate type `[https://gradle.com/attestation/java-toolchains/v1](https://gradle.com/attestation/java-toolchains/v1)`).

<a id="spec-fields"></a>

## Spec Fields

**toolchains** — An array of toolchain constraints. Each entry can specify:

**vendor** — The JDK vendor name (e.g., `oracle`, `BellSoft Liberica`).

**versions** — A list of allowed (or disallowed) JDK versions.

**vendor** — The JDK vendor name (e.g., `oracle`, `BellSoft Liberica`).

**versions** — A list of allowed (or disallowed) JDK versions.

**matchingStrategy** — `must-match` requires that all toolchains match one of the specified entries. `none-match` requires that no toolchain matches any entry.

<a id="examples"></a>

## Examples

A common pattern is to combine two policies: one using `none-match` to disallow a vendor, and another using `must-match` to require a specific approved vendor.

<a id="disallow-oracle-java-toolchains"></a>

### Disallow Oracle Java Toolchains

```yaml
apiVersion: policy.gradle.com/v1
kind: JavaToolchains
metadata:
  name: none-match-oracle-java-toolchain
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Disallow Oracle Java Toolchains in builds
  remediation: Update Gradle to use BellSoft Java toolchain
  matchingStrategy: none-match
  toolchains:
    - vendor: oracle
```

<a id="require-bellsoft-java-toolchains"></a>

### Require BellSoft Java Toolchains

```yaml
apiVersion: policy.gradle.com/v1
kind: JavaToolchains
metadata:
  name: must-match-bellsoft-java-toolchain
  labels:
    policy.my-corp.com/gate: build
spec:
  resultsLabels:
    policy.my-corp.com/gate: build
  description: Builds must use BellSoft Java toolchains
  remediation: Update build to use BellSoft Java toolchain
  matchingStrategy: must-match
  toolchains:
    - vendor: BellSoft Liberica
      versions:
        - 21.0.8
        - 21.0.7
        - 21.0.6
        - 21.0.5
```