March 29, 2026

Changelog: AI Agent Governance, Ask Chainloop, and Supply Chain Hardening

Miguel Martinez

It’s been a rough couple of weeks for the ecosystem — first the Trivy compromise, then LiteLLM. We’ve been shipping in parallel. This release adds AI agent governance, a natural language interface for the platform, per-project keyless authorization, and some features that exist specifically because of what we learned analyzing those attacks.

AI Agent Configuration Governance

We covered this in detail in the Agentic Coding Support post. The short version: Chainloop now discovers and collects AI agent configuration from your repositories — instruction files, MCP servers, skills, subagent settings — and bundles it into tamper-resistant evidence via a new CHAINLOOP_AI_AGENT_CONFIG material type.

AI agent configuration discovery and collection into tamper-resistant evidence

This release ships 12 built-in AI governance policies covering:

MCP server allowlists
Instruction quality and architecture documentation
Subagent permission scoping
Code style specificity requirements
Behavioral boundaries and git workflow documentation
Skill and subagent descriptions
Hardcoded secret detection in agent configurations

Built-in AI governance policies for MCP servers, instruction quality, and subagent permissions

Full details in the collection guide.

Ask Chainloop

Hit Cmd+K (or Ctrl+K) from anywhere in the platform and ask a question. Browse supply chain data, check compliance status, write policies, create contracts, configure your instance. It’s a native natural language interface built into the web UI.

Repository-Project Linking & Keyless RBAC

You shouldn’t need static API tokens to talk to Chainloop. Tokens get leaked, stolen, reused — the LiteLLM attack showed what happens when a compromised pipeline has broad credential access. Chainloop supports keyless attestations via GitHub and GitLab OIDC instead. Nothing to rotate, nothing to leak.

This release takes it further with per-project authorization. Enrolled repositories must be connected to a specific project before keyless attestations are accepted, so you control exactly which pipelines can produce evidence for each project.

Per-project authorization configuration for keyless attestations

Details in the GitHub keyless attestation guide and GitLab keyless attestation guide.

Strengthening Defenses Against Supply Chain Attacks

Both the Trivy and LiteLLM attacks exploited the same thing: mutable tags and weak release integrity controls. We’re adding policies that catch exactly this.

GitHub immutable release detection. The CLI gatherer now checks whether GitHub Immutable Releases are enabled for a repository. Remember how the Trivy attack worked — the attacker force-pushed 75 version tags to point at malicious commits, and nobody got notified. The new immutable-releases-enabled policy flags repositories where this protection is missing.

Tag deletion and force-push blocking policies. New policies check whether tag protection rules are configured. Repositories without them let attackers rewrite release history silently — which is exactly what happened with Trivy.

If you’re using GitHub Actions with third-party actions pinned to tags, these policies should be at the top of your list.

Rich Evidence Visualization

You can now browse evidence content directly in the platform — no downloads needed.

Container Images — Pull commands, provenance, and deployment history.

Container image evidence viewer showing pull commands and provenance

Pull Request Info — Branch details, reviewers, approval status, and bot detection from CHAINLOOP_PR_INFO materials.

Pull request info viewer showing branch details, reviewers, and approval status

AI Agent Configuration — Browse configuration files, instructions, rules, and skills collected from repositories.

AI agent configuration viewer showing collected files, instructions, and rules

Compliance Override & Approval Workflows

You can now upload evidence files when submitting compliance overrides. The approval workflow tracks status visually, and teams can require sign-off on manually submitted evidence before it counts toward compliance evaluations.