Develocity

Built-in protection
at all levels

As a solution trusted by many of the world's largest financial institutions and technology companies, Develocity® includes security features and data protection mechanisms for every product level.

Security by design

Fully secure networks

Deploys into your secure networks

Develocity can be deployed to secure networks on-premise or in your cloud environment, co-located with your CI infrastructure for low-latency remote cache access. You can also deploy it into air-gapped networks.

Cloud-native security

Adheres to cloud-native security best practices

Designed around Kubernetes security best practices for secret management and service accounts, Develocity fits perfectly into a cloud-native security architecture.

Secure development

Built with hardened development processes

All development for Develocity follows a rigorous security methodology, including continuous vulnerability scanning, dependency analysis, artifact integrity checks, and regular third-party penetration testing.

undefined

SOC2 Compliant

SOC2 Type 2 Compliant

We work with independent auditors to maintain a SOC2 Type 2 report, which objectively certifies our controls to ensure the continuous Security and Confidentiality of our customers' data. Review our reports and other documentation in our Trust Portal.

Key Capabilities

Single sign-on

Develocity includes an embedded instance of Keycloak as an identity and access management layer and supports SSO with any SAML or LDAP provider.

Automated user provisioning

A SCIM 2.0 integration automatically manages users' and groups’ lifecycles, ensuring your developers have quick access to Develocity.

Role-based access control

Users can be assigned the minimal privileges needed to interact with Develocity.

Project-level access control

Organizations can share a single Develocity installation while ensuring that data and information about individual projects are restricted to an appropriate subset of users and teams, respecting organization information-sharing boundaries.

Encryption in-flight

All communication between build tools, build caches, and Develocity is encrypted using modern TLS/HTTPS cipher suites.

Encryption at-rest

All sensitive data is protected with application-level encryption at rest. Develocity can be deployed onto self-encrypting storage such as EBS volumes or PVs or an object store such as Amazon S3, Google Storage, or Azure Blob Storage.

Iron Bank certified

Acquire our hardened images from the US DoD Iron Bank ‘Platform One’ container registry for easy deployment into high-compliance organizations.

Outbound HTTP/S proxy server support

Develocity supports configuring an outbound HTTP/S proxy server for high-security network configurations to scan any Internet requests on egress.

Flexible TLS configuration

For maximum flexibility, TLS can be terminated on an external load balancer, at the Kubernetes ingress level, or inside the Develocity cluster.

Secure software development lifecycle

All Develocity source code and dependencies are reviewed and scanned for known vulnerabilities nightly. Any discovered vulnerabilities follow a documented reporting and disclosure process.

Bearer token component registration

Scale-out components of Develocity, including build-cache nodes and test distribution agents, are registered using a bearer token to establish secure communications.

Privacy is at the heart of Gradle

Privacy by design for new product features and internal processes.

Compliance with Data Protection regulations in all countries we operate in, including GDPR and CCPA.

Minimal data sharing required. Customers self-host Develocity and only share contact information with us for Customer Support purposes.

Data Processing Agreement Transparency Report, and other important information are available at gradle.com/data-protection.

Organizational security

  • Get copies of our SOC2 Type 1 and 2 reports and other relevant Security Policies from our Trust Portal at trust.gradle.com

Learn more

Develocity Security Advisories

See a list of security advisories relating to Develocity and its associated components.

Learn more
Gradle Vulnerability Disclosure Policy

Learn more about Gradle's Vulnerability Disclosure Policy and how to work with Gradle if you find a security vulnerability.

Learn more

Explore Develocity

Learn how Develocity helps teams boost speed, stability, and confidence to achieve software delivery excellence in the age of AI.