Announcing Federated Content Addressable Storage

Last month, we wrote about the crucial role that a globally addressable, tamper-proof, and extensible storage solution takes on your Software Supply Chain.

A place to store any piece of evidence generated during your Software Development Life Cycle (SDLC). From in-toto attestations to Cyclone/SPDX Software Bill Of Materials (SBOMs), VEX, xUnit, binaries, tgz files, and more.

To achieve that, we built a Content Addressable Storage Proxy that sits in front of your favorite Storage Backend, these range from Blob Storage solutions (i.e. AWS s3) to OCI registries such as Azure Container Registry or Google Artifact Registry.

In Chainloop, an organization can set up multiple CAS Backends to meet their different compliance requirements. These can be purely technical requirements, such as retention policies, regulatory ones, such as region aware storage, or others. In practice, this means that pieces of evidence are scattered around, creating the need for an unifying interface.

Federated Content Addressable Storage

Today, we are proud to announce that Chainloop’s latest release (0.17.1) includes Federated Content Addressable Storage support. It allows users to download any artifact stored in any CAS backend from any of their Chainloop organizations transparently by just providing its content digest.  

To download an artifact, you can just provide its sha256 content digest to either the Chainloop CLI or to the new download API endpoint i.e, and Chainloop will dynamically find the right path to the artifact transparently.

As an example, here you can find the attestation of the latest Chainloop release.

Public Sharing (preview)

This release also introduces a preview of a public sharing mechanism for attestations and pieces of evidence stored in CAS. This allows operators to share links to attestations, SBOMs, binaries, VEX files, anything that has been collected as part of an attestation process for enhanced transparency.

You can learn more on how it works here, but in short, operators can now set the visibility of a workflow to “public” and any piece of evidence generated for that workflow will be publicly accessible.

We are very excited about the myriad of new use cases that this layer of intelligence enables. Still, more importantly, we are happy to see this feature being implemented in such a way that it's easy and fun to use for the user. What's not to like about using something that feels both familiar and magical at the same time? :)

Please send feedback our way, and if you like what we do, give our GitHub repository a star :)

Cheers, Miguel