Chainloop adds support to all CSAF (Common Security Advisory Framework) profiles, including VEX, Security Advisory, Informational Advisory, and Security Incident Response.
What’s CSAF?
As can be read at the CSAF official site and specification: “The Common Security Advisory Framework (CSAF) is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties.”.
What's New?
Chainloop now supports CSAF 2, which includes not only the CSAF VEX profile but also three new profiles: Security Advisory, Informational Advisory, Security Incident Response.
With these updates, Chainloop contracts can reference and validate the newly introduced material types. There is no need to specify the exact version of the CSAF document denoted by csaf_version. Chainloop can dynamically determine the appropriate schema for the validation. Simply set the expected CSAF Profile, and Chainloop will take care of the rest.
schemaVersion: v1
materials:
- type: CSAF_INFORMATIONAL_ADVISORY
name: informational-advisory
- type: CSAF_SECURITY_ADVISORY
name: security-advisory
- type: CSAF_SECURITY_INCIDENT_RESPONSE
name: security-incident-response
Get Started
Ready to leverage the power of Chainloop with CSAF profiles and beyond? Head over to our documentation, or use one of our pre-defined contracts to explore the updated features and kickstart your journey towards enhanced security and compliance.
Send feedback our way, and if you like what we do, give our GitHub repository a star and stop by to say hi in our Slack :)