Software Supply Chain Attestations
A Control Plane for your Software Supply Chain
Chainloop is an Open Source project. Contribute, customize and run it on your own infrastructure!
Reach Supply chain Levels for Software Artifacts (SLSA) provenance level 3 by leveraging your own OCI artifact storage, the sigstore suite and in-toto attestation format.
CONTRACT BASED ATTESTATION
The SecOps team can define the attestation requirements associated with the Workflows in their organization. New/Updated requirements can be easily propagated and enforced.
CI PROVIDER AGNOSTIC
Standardize your attestation, and artifact needs via a single source of truth and integration point. Embrace CI/CD fragmentation!
THIRD-PARTY INTEGRATION FAN-OUT
The ingested artifacts and attestation metadata can be forwarded to different third-party integrations such as Dependency-Track for Software Bill Of Materials (SBOM) analysis or an OCI registry for storage.
DEAD SIMPLE CRAFTING PROCESS
The crafting CLI offers developers a Jargon-free process to meet their compliance demands via a familiar developer experience, no security expertise or additional training required!
FIRST CLASS DAY-2 OPERATIONS
Propagate, enforce new attestation requirements and prevent configuration drift
TRANSPARENT BEST-PRACTICES ENFORCEMENT
Handle different kinds of materials accordingly to meet industry best practices. e.g artifacts types will be uploaded to your artifact registry, while container images types will get resolved to get their content digest.
Have centralized and tamper-resistant access to attestation/provenance metadata, logs, and build artifacts from all your organization.
Have visibility on the organizational ownership, health, and readiness of your automation.
Frequently asked questions.
Is Chainloop Open Source?
Yes, Chainloop source code has been Open Sourced and can be found here! 🎉
Can I run my own instance of Chainloop end to end?
Yes, please refer to this guide.
I am using neither GitHub Actions nor GitLab, can I still use Chainloop?
Yes, Chainloop is runner agnostic, which means that you can run the attestation anywhere, including your laptop! That said, there are benefits for using one of our supported runner types. We plan on supporting more CI vendors so your is not supported yet, please contact us with your preference and we will get back to you.