---
component: provenance-governor
version: "1.9"
slug: provenance-governor/index
canonical_url: "https://docs.gradle.com/develocity/provenance-governor/1.9/"
title: "Develocity Provenance Governor"
description: "Develocity Provenance Governor collects and verifies attestations, evaluates them against declarative policies, and enforces compliance across environments."
keywords:
- "attestation"
- "supply chain"
- "Kubernetes"
- "Helm chart"
status: current
---
# Develocity Provenance Governor
Develocity Provenance Governor automates software supply chain governance by collecting, verifying, and enforcing attestation policies, ensuring only trusted and compliant artifacts are promoted and consumed across environments.
## How It Works
Develocity Provenance Governor uses build data from Develocity to collect, verify, and evaluate provenance data and attestations. The product offers detailed provenance attestations, declarative domain-aware policies, and automated evaluation, so teams can:
* Enforce organizational and regulatory requirements for software provenance
* Prevent the use of untrusted or non-compliant artifacts
* Gain visibility into the origin and integrity of software components
* Streamline compliance reporting and incident response
## Key Concepts
* **Attestations** are signed statements about the origin (or provenance) of a software package, including details about its build process, dependencies, and other metadata. Attestations verify the integrity and authenticity of software packages.
* **Policies** define rules and conditions that software packages must adhere to. You can use policies to prevent non-compliant or untrusted packages from being released, deployed, or used.
* **Policy Scan™** evaluations check packages against defined policies and report on the package’s level of compliance.
## Components
Develocity Provenance Governor Components
## Flow
1. A build runs on a Continuous Integration (CI) system and:
1. Produces a software package (for example, a JAR file).
2. Publishes a Build Scan to Develocity (a Build Scan captures detailed information about the build process).
3. Uploads the software package to a package repository (for example, [JFrog Artifactory](https://jfrog.com/artifactory/)).
4. Calls Develocity Provenance Governor to generate and publish attestations for the software package.
2. Develocity Provenance Governor generates attestations based on Build Scan data from Develocity that was collected while building the software package.
1. After an attestation is generated, Develocity Provenance Governor signs the attestation using a private key.
2. Develocity Provenance Governor publishes the signed attestation to an attestation store. Develocity Provenance Governor supports publishing attestations to [Amazon S3](https://aws.amazon.com/s3/) and [JFrog Artifactory](https://jfrog.com/artifactory/).
3. A later CI or Continuous Deployment (CD) job calls Develocity Provenance Governor to perform a Policy Scan on the software package.
1. Develocity Provenance Governor performs a Policy Scan to evaluate policies against the software package to determine if it’s compliant with organization rules and requirements. Develocity Provenance Governor uses the previously published attestations to evaluate policies.
2. Develocity Provenance Governor returns the Policy Scan result to the calling job.
3. Based on the results of the Policy Scan, the job can decide to proceed or fail.
> [!NOTE]
> When using JFrog Artifactory as the attestation store, published attestations can also be used with JFrog Evidence features.
Quickstart
Get Provenance Governor running locally using Kubernetes or Docker
* [Quickstart (Kubernetes)](https://docs.gradle.com/develocity/provenance-governor/1.9/quickstart/)
* [Quickstart (Docker)](https://docs.gradle.com/develocity/provenance-governor/1.9/quickstart-docker/)
Setup
Deploy and configure Provenance Governor in your environment
* [Prerequisites](https://docs.gradle.com/develocity/provenance-governor/1.9/setup-prerequisites/)
* [Deployment (Kubernetes)](https://docs.gradle.com/develocity/provenance-governor/1.9/setup-deploy/)
* [Deployment (Docker)](https://docs.gradle.com/develocity/provenance-governor/1.9/setup-deploy-docker/)
* [Application Configuration](https://docs.gradle.com/develocity/provenance-governor/1.9/app-config-overview/)
Policies
Define and enforce compliance rules for your software artifacts
* [Writing Policies](https://docs.gradle.com/develocity/provenance-governor/1.9/writing-policies/)
* [Evaluating Policies](https://docs.gradle.com/develocity/provenance-governor/1.9/evaluating-policies/)
* [Policy Types](https://docs.gradle.com/develocity/provenance-governor/1.9/policy-types/)
Attestations
Generate, sign, and publish provenance attestations for your packages
* [Attestation Reference](https://docs.gradle.com/develocity/provenance-governor/1.9/attestations/)
* [Publishing Attestations](https://docs.gradle.com/develocity/provenance-governor/1.9/publishing-attestations/)
CI/CD Integration
Integrate policy enforcement into your CI and CD pipelines
* [CI/CD Integration Guide](https://docs.gradle.com/develocity/provenance-governor/1.9/ci-cd-integration/)
API Reference
REST API, MCP tools, error handling, and monitoring reference
* [API Overview](https://docs.gradle.com/develocity/provenance-governor/1.9/api-overview/)
* [Operations](https://docs.gradle.com/develocity/provenance-governor/1.9/api-reference/)
* [MCP Tools](https://docs.gradle.com/develocity/provenance-governor/1.9/api-mcp-tools/)
* [Error Handling](https://docs.gradle.com/develocity/provenance-governor/1.9/api-errors/)
* [Monitoring](https://docs.gradle.com/develocity/provenance-governor/1.9/monitoring-services/)