You can now automatically assess the compliance status of your projects against SLSA 1.0 specification using Chainloop.
Under the hood, we’ve implemented multiple new policies, from checking that the build is happening in a hosted CI runner to checking that the signature was issued after authenticating from a given “issuer”, i.e. sigstore.dev.
However, we are also aware that some requirements can not be fully automated. That’s why you have the option to assess some of those checks manually by uploading pieces of evidence.
To get started, just perform a build attestation with Chainloop or provide a SLSA provenance predicate generated by GitHub or the upstream slsa-github-generator project.
Once received, the automated compliance engine will kick in and will do the magic :)
Enhanced Frameworks Visualization
In our previous changelog, we mentioned that we are bringing external compliance frameworks such as CRA, SSDF, SLSA, or the Open Source Project Security Baseline to Chainloop.
As part of that effort, we want our users to choose Chainloop not only because of its automated compliance capabilities but also because it is the best place to learn and get guidance on the complex array of requirements, controls, and policies.
That’s why we’ve introduced visualization grouping, markdown rendering, outline navigation, and more.
Chainloop OSS 1.0 release candidate
We remain fully committed to providing an Open-Source, end-to-end solution for software supply chain evidence gathering and compliance—a foundation now at the core of the Chainloop platform, running in production in highly regulated industry companies and supporting our customers’ needs.
Last week, we announced the Chainloop Open Source Project has reached its Release Candidate stage!
You can learn more about the announcement and how to get involved here.
