Chainloop's Content Addressable Storage (CAS) Improved


When it comes to software supply chain security, every piece of evidence is crucial. Chainloop's Content Addressable Storage (CAS) ensures that data such as Software Bill Of Materials (SBOMs), test results, and runner logs are safely stored and easily retrievable. CAS is not just a component; it's the bedrock of Chainloop's architecture. This article provides an insight into CAS's workings and its significance.

Understanding Content Addressable Storage (CAS)

Chainloop's CAS is not just about storage; it's about smart, secure, and efficient storage. Think of CAS as a frontend for various backends like OCI Registry, Artifactory, AWS S3, Azure Storage, etc. At its core, CAS serves as a Content Addressable Storage API proxy, seamlessly bridging the gap between users and the underlying storage systems.

We meet our users where they are and stick with their preferred storage options, whether they're already part of their IT infrastructure or chosen for specific rules they need to follow. CAS enables our customers to use multiple storages and route different metadata to locations based on their compliance requirements.

Here are the key features of Chainloop’s CAS:

  • Globally Addressable. Files are identified by their content digest (SHA256), ensuring global tracking.
  • Tamper-Proof Storage: Data integrity is crucial. Chainloop ensures this by naming pieces of evidence after their SHA256 content digest, a value calculated by the client and verified by the CAS server. This ensures the pieces of evidence remain genuine and unchanged.
  • Adaptable Storage Solutions: The CAS API proxy is designed to be flexible. While OCI registries are currently supported, our plans include integrating cloud blob storage, Artifactory, and other storage mechanisms in the future.

Managing CAS Backends

With Chainloop, you have the freedom to set up multiple CAS backends. However, only one can be set as the default at a given time. This default backend is the primary storage location during the attestation process. Managing these backends is streamlined through the chainloop cas-backend command.

Backend Providers

Chainloop is continuously expanding its horizons. Users are encouraged to reach out if a desired CAS backend provider isn't available. We are already working on the support for a cloud blog storage and here's a deeper dive into the current backends:

  • OCI Registry Backend: As users transition to more advanced stages, a switch to the OCI registry backend, a more robust solution, is advisable. This backend supports various platforms, including Google Artifact Registry, Azure Container Registry, GitHub packages, and DockerHub. With intuitive commands, adding, updating, and setting the OCI registry as default is a breeze.
  • Inline (Fallback) Backend: This new addition comes with the latest release (details are provided below). Chainloop is user-friendly and is now coming pre-configured with an inline backend. This backend embeds pieces of evidence directly in the attestation, providing a quick start option.

Chainloop 0.14.0: Welcoming the Inline CAS Backend

The latest release, Chainloop 0.14.0, introduces the Inline CAS Backend:

  • Get Started Instantly: The Inline CAS Backend is built for instant usage. There's no need to wade through intricate backend setups; Chainloop is ready to go out of the box.
  • Easier Onboarding: New users can start their Chainloop journey effortlessly. The new inline backend means data can be embedded directly in attestations. However, while this method streamlines the process, there are considerations, like data size limits, to be aware of.

Using Inline CAS means the attestation can grow considerably in size. To manage this, a size limit might be set, for instance, at 10KB. An actual CAS backend can be set up for users who need more. While size considerations are essential, the primary advantage of this feature is the reduced setup complexity, enabling users to get started with Chainloop without any hindrances.

Final Thoughts

Chainloop's CAS is shaping the way we approach software attestation, with the introduction of the Inline CAS Backend in version 0.14.0 serving as a testament to our commitment to enhanced user experience and robust data storage solutions.

Stay tuned with Chainloop for more breakthroughs and updates in the software supply chain security arena.

We recommend taking a look at our documentation to learn more about CAS.