---
component: provenance-governor
version: "1.7"
slug: provenance-governor/release-history
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.7/release-history/"
title: "Release History"
description: "Release history for Develocity Provenance Governor."
keywords: []
status: current
---

<!-- llms-index: https://docs.gradle.com/develocity/llms.txt -->

# Release History

<a id="current"></a>

## Current

<a id="1-7-1"></a>

### 1.7.1

28th April 2026

*   \[IMPROVED\] **Verifier URIs behind reverse proxies**: Verification Summary Attestations now record the publicly visible Develocity Provenance Governor URL as the verifier when the service runs behind a reverse proxy or tunnel. The Docker deployment guide documents the required forwarded-headers configuration
    
*   \[FIX\] **MCP supply chain inspection on native images**: The `inspect-package-supply-chain` MCP tool now works reliably in native-image deployments
    

<a id="previous-versions"></a>

## Previous Versions

<a id="1-7-0"></a>

### 1.7.0

17th April 2026

*   \[NEW\] **Consolidated MCP Tool**: Inspect any package’s supply chain posture with a single `inspect-package-supply-chain` tool that replaces four separate tools, using progressive disclosure via the `include` parameter to control depth and token budget
    
*   \[NEW\] **MCP Narrative Responses**: MCP tool responses return narrative text with HATEOAS hints instead of JSON, enabling agents to reason about supply chain data directly and discover next actions without memorizing the tool surface
    
*   \[NEW\] **MCP OAuth 2.0 Bearer Token Authentication**: Authenticate MCP clients with both JWT and opaque access tokens through automatic token format detection and OIDC UserInfo-based introspection, supporting providers like Google Cloud Identity without additional configuration
    

<a id="1-6-0"></a>

### 1.6.0

31st March 2026

*   \[NEW\] **Policy Scan Predicate Attestation**: Publishes a detailed evaluation record alongside the Verification Summary, capturing per-policy results and evaluated policy snapshots for diagnostics and audit
    
*   \[NEW\] **Dependency Scoring Policy**: Scores dependency health using a 2-category SLO compliance model (vulnerability remediation and upgrade hygiene) with configurable baselines and achievement tiers
    
*   \[NEW\] **MCP Tools for AI Agents**: Introduces `get-purl-profile`, `get-purl-dependencies`, and `get-purl-gate-detail` tools enabling AI agents to query supply chain provenance without parsing raw attestation JSON
    
*   \[NEW\] **Presigned URL Authentication**: Supports HMAC-SHA256 presigned URLs for time-limited, credential-free access to package attestation data — ideal for CI/CD pipelines and artifact proxies
    
*   \[IMPROVED\] **External API Resilience**: Adds configurable retry with exponential backoff, concurrency limits, and graceful degradation for OSV and OSI API communication
    
*   \[IMPROVED\] **Case-Insensitive Policy Scan Matching**: Normalizes policy scan names to lowercase for consistent matching across verifiers
    
*   \[NEW\] Dashboard: Explore package provenance, policy gate results, and vulnerability details through a new server-rendered dashboard with release line filtering
    
*   \[NEW\] MCP Tools: Investigate package provenance interactively with three new PURL-focused MCP tools for profile discovery, dependency retrieval, and gate activity detail
    
*   \[NEW\] PURL Package Endpoint: Access package-level insights through a new HTML and JSON API resource endpoint
    
*   \[NEW\] Dependency Scoring Policy: Enforce minimum quality thresholds for dependencies with per-category scores and configurable weights
    
*   \[NEW\] Policy-Scan Packages Index: Query gate activity by package efficiently with a new package-first reverse index
    
*   \[NEW\] PolicyScanPredicate Attestation: Record policy evaluation results as a dedicated attestation type for downstream verification
    
*   \[NEW\] DependencyInsights Presigned URL: Retrieve DependencyInsights attestations securely through time-limited presigned URLs
    
*   \[NEW\] Attestation Flow Detection: Determine the flow-establishing policy scan automatically from Verification Summary attestations
    
*   \[NEW\] VERS Range Parsing: Interpret version ranges and infer release lines for precise dependency resolution
    
*   \[NEW\] External API Resilience: Improve reliability of OSV and OSI integrations with configurable retry and concurrency controls
    
*   \[FIX\] Attestation Retrieval: Return a proper 404 response instead of 500 when a requested attestation is not found in S3
    
*   \[NEW\] Documentation: Expand reference documentation with DependencyScoring policy configuration and resilient API properties
    

<a id="1-5-0"></a>

### 1.5.0

19th February 2026

*   \[NEW\] Dependency Insights Attestation: Prioritize risk profiles for dependencies by aggregating security vulnerabilities with CVSS severity scores and license data
    
*   Enable downstream policy engines to calculate exact base, temporal, or environmental scores by passing the full vector string and type for vulnerabilities
    
*   \[NEW\] Dynamic Attestation Insights: Automatically enrich Policy Scan™ evaluations with live vulnerability and hygiene data resolved on-the-fly from static attestations
    
*   Ensure full traceability by automatically persisting insights to the source store and including them in the final Verification Summary
    
*   \[NEW\] Service Architecture: Retrieve dependency metadata efficiently through a new non-blocking "Two-Wave" parallel pipeline
    

<a id="1-4-0"></a>

### 1.4.0

13th February 2026

*   \[NEW\] PublishRepositories Attestation: Track repository URLs and publication timestamps for artifacts to provide comprehensive provenance
    
*   \[NEW\] PublishRepositories Policy: Ensure artifacts are sourced from trusted repositories with automated policy enforcement
    
*   \[NEW\] API Error Reference: Standardize API error responses using RFC 7807 and provide a detailed reference guide for faster troubleshooting
    
*   \[NEW\] System Performance: Scale attestation generation with improved concurrency and reduced resource overhead via optimized build event processing
    
*   \[NEW\] Observability & Monitoring: Enhance visibility with unified HTTP client metrics to track success rates and latencies for Develocity and Artifactory connections
    
*   \[NEW\] External Integration Resilience: Improve reliability under unstable network conditions with configurable retry policies and per-instance token expiration for Develocity integrations
    
*   \[NEW\] Internal Architecture: Enhance robustness and extensibility for provenance data through a modularized publishing pipeline
    

<a id="1-3-1"></a>

### 1.3.1

2nd January 2026

*   \[NEW\] Dependency Updates: Maintain security and performance by updating internal dependencies to their latest versions
    
*   \[NEW\] Prometheus Metrics: Simplify monitoring integration by exposing Prometheus metrics on the management port (9090) at `/actuator/prometheus`
    

<a id="1-3-0"></a>

### 1.3.0

12th December 2025

*   \[NEW\] VerificationSummary Policy: Evaluate artifacts based on Verification Summary Attestations (VSAs) with a new policy type
    
*   Enforce build gates and scan requirements by verifying that artifacts have passed specific verification processes
    
*   Prevent verifier impersonation with support for signature key binding
    

<a id="1-2-0"></a>

### 1.2.0

8th December 2025

*   \[NEW\] SLSA Verification Summary Attestations: Provide cryptographically verifiable evidence of policy compliance with a full implementation of SLSA v1.2 Verification Summary attestations
    
*   \[NEW\] Policy Loading Improvements: Improve reliability and error reporting for YAML policy loading with better handling of document separators and edge cases
    
*   \[NEW\] Artifactory Integration: Improve traceability and reliability for Artifactory integrations with enhanced retry logic and improved URI generation
    
*   \[NEW\] API Documentation: Simplify integration with detailed documentation for fetching attestations by ID, including DSSE and in-toto payload formats
    
*   \[NEW\] Quick Start Guide: Onboard quickly with a restructured guide and new k3d deployment options
    

<a id="1-1-0"></a>

### 1.1.0

21st November 2025

*   \[NEW\] Deterministic S3 Attestation Storage: Support centralized and deterministic storage by storing attestations in Amazon S3
    
*   \[NEW\] S3 Attestation Store Reader: Retrieve attestations directly from S3 for policy evaluation
    
*   \[NEW\] Fetch Attestation by ID: Retrieve specific attestations via a new API endpoint using their unique identifier
    
*   \[NEW\] AttestationsExist Policy: Ensure mandatory attestations are present with a new policy type
    

<a id="1-0-1"></a>

### 1.0.1

11th November 2025

*   \[NEW\] Dependency Updates: Maintain system stability with core dependency updates
    

<a id="1-0-0"></a>

### 1.0.0

17th October 2025

*   Initial release of Develocity Provenance Governor