Develocity Provenance Governor

Develocity Provenance Governor automates software supply chain governance by collecting, verifying, and enforcing attestation policies, ensuring only trusted and compliant artifacts are promoted and consumed across environments.

How It Works

Develocity Provenance Governor uses build data from Develocity to collect, verify, and evaluate provenance data and attestations. The product offers detailed provenance attestations, declarative domain-aware policies, and automated evaluation, so teams can:

  • Enforce organizational and regulatory requirements for software provenance

  • Prevent the use of untrusted or non-compliant artifacts

  • Gain visibility into the origin and integrity of software components

  • Streamline compliance reporting and incident response

Key Concepts

  • Attestations are signed statements about the origin (or provenance) of a software package, including details about its build process, dependencies, and other metadata. Attestations verify the integrity and authenticity of software packages.

  • Policies define rules and conditions that software packages must adhere to. You can use policies to prevent non-compliant or untrusted packages from being released, deployed, or used.

  • Policy Scan™ evaluations check packages against defined policies and report on the package’s level of compliance.

Components

Architecture diagram showing Develocity Provenance Governor and its connections to the Develocity server
Develocity Provenance Governor Components

Flow

  1. A build runs on a Continuous Integration (CI) system and:

    1. Produces a software package (for example, a JAR file).

    2. Publishes a Build Scan to Develocity (a Build Scan captures detailed information about the build process).

    3. Uploads the software package to a package repository (for example, JFrog Artifactory).

    4. Calls Develocity Provenance Governor to generate and publish attestations for the software package.

  2. Develocity Provenance Governor generates attestations based on Build Scan data from Develocity that was collected while building the software package.

    1. After an attestation is generated, Develocity Provenance Governor signs the attestation using a private key.

    2. Develocity Provenance Governor publishes the signed attestation to an attestation store. Develocity Provenance Governor supports publishing attestations to Amazon S3 and JFrog Artifactory.

  3. A later CI or Continuous Deployment (CD) job calls Develocity Provenance Governor to perform a Policy Scan on the software package.

    1. Develocity Provenance Governor performs a Policy Scan to evaluate policies against the software package to determine if it’s compliant with organization rules and requirements. Develocity Provenance Governor uses the previously published attestations to evaluate policies.

    2. Develocity Provenance Governor returns the Policy Scan result to the calling job.

    3. Based on the results of the Policy Scan, the job can decide to proceed or fail.

When using JFrog Artifactory as the attestation store, published attestations can also be used with JFrog Evidence features.
Quickstart
Get Provenance Governor running locally using Kubernetes or Docker
Setup
Deploy and configure Provenance Governor in your environment
Policies
Define and enforce compliance rules for your software artifacts
Attestations
Generate, sign, and publish provenance attestations for your packages
CI/CD Integration
Integrate policy enforcement into your CI and CD pipelines
API Reference
REST API, MCP tools, error handling, and monitoring reference