Software Supply Chain Attestations
A Control Plane for your Software Supply Chain
Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation process.

With Chainloop, SecOps teams can declaratively state the attestation and artifacts expectations for their organization’s CI/CD workflows, while also resting assured that latest standards and best practices are put in place.
Developer teams, on the other hand, do not need to become security experts, the attestation crafting tool will guide them with guardrails and a familiar developer experience.

Chainloop single integration point enables operators to be able to set up third-party integrations such as Dependency-Track for SBOM analysis or an OCI registry for storage of the received artifacts and attestation metadata.

You can think of Chainloop as an API for your organization’s Software Supply Chain that both development and SecOps teams can use to interact effectively.
That way SecOps teams now have control over their organization’s Software Supply Chain security compliance, observability and standardization implementation efforts.
See Chainloop in action in this video
Features
OPEN SOURCE
Chainloop is an Open Source project. Contribute, customize and run it on your own infrastructure!
SECURITY COMPLIANCE
Reach Supply chain Levels for Software Artifacts (SLSA) provenance level 3 by leveraging your own OCI artifact storage, the sigstore suite and in-toto attestation format.
CONTRACT BASED ATTESTATION
The SecOps team can define the attestation requirements associated with the Workflows in their organization. New/Updated requirements can be easily propagated and enforced.
CI PROVIDER AGNOSTIC
Standardize your attestation, and artifact needs via a single source of truth and integration point. Embrace CI/CD fragmentation!
THIRD-PARTY INTEGRATION FAN-OUT
The ingested artifacts and attestation metadata can be forwarded to different third-party integrations such as Dependency-Track for Software Bill Of Materials (SBOM) analysis or an OCI registry for storage.
DEAD SIMPLE CRAFTING PROCESS
The crafting CLI offers developers a Jargon-free process to meet their compliance demands via a familiar developer experience, no security expertise or additional training required!
FIRST CLASS DAY-2 OPERATIONS
Propagate, enforce new attestation requirements and prevent configuration drift
TRANSPARENT BEST-PRACTICES ENFORCEMENT
Handle different kinds of materials accordingly to meet industry best practices. e.g artifacts types will be uploaded to your artifact registry, while container images types will get resolved to get their content digest.
AUDITABILITY
Have centralized and tamper-resistant access to attestation/provenance metadata, logs, and build artifacts from all your organization.
OBSERVABILITY
Have visibility on the organizational ownership, health, and readiness of your automation.
Frequently asked questions.
Is Chainloop Open Source?
Yes, Chainloop source code has been Open Sourced and can be found here! 🎉
Can I run my own instance of Chainloop end to end?
Yes, please refer to this guide.
I am using neither GitHub Actions nor GitLab, can I still use Chainloop?
Yes, Chainloop is runner agnostic, which means that you can run the attestation anywhere, including your laptop! That said, there are benefits for using one of our supported runner types. We plan on supporting more CI vendors so your is not supported yet, please contact us with your preference and we will get back to you.