TL;DR

In February, Chainloop rolled out major updates to simplify your compliance and security workflows:

• Expanded Compliance Support: Upcoming support for CRA, SSDF, SLSA, and Open Source Project Security Baseline.
• GitLab Machine Identity Support: Use native GitLab and, soon, GitHub & Azure DevOps OIDC authentication to send evidence to Chainloop without extra tokens.
• Enhanced Attestation Verification and Sigstore bundle support: Added timestamping and downloadable verification materials for stronger security.
• Upcoming Vulnerability Management & SCA: Early access features include automated SBOM generation, continuous scanning, on-the-fly VEX creation, and streamlined reporting..

‍

Introduction

At Chainloop, we understand that compliance shouldn’t slow you down. Last month, we focused on reducing manual work and streamlining your security checks, so you can focus on building great products. Whether you’re deep in development or making strategic decisions, our latest updates ensure that achieving compliance is smooth and hassle-free.

Automated Compliance Across Key Frameworks

Chainloop is already empowering your team to achieve automated compliance with platform that help you:

• Instrument Your SDLC: Seamlessly collect, enrich, and process all evidence and artifacts in our centralized store.
• Use Ready-Made Policies: Leverage our curated, up-to-date, version-controlled policies that you can easily customize via our UI or YAML files.
• Embrace GitOps: Enjoy fully declarative, version-controlled configurations for contracts, policies, and compliance frameworks that integrate smoothly with your existing DevOps processes, with real-time dashboards for full visibility.

These capabilities reduce manual work and make it easier for your team to meet regulatory standards continuously.

This month, we're taking it a step further by expanding our support to include additional compliance frameworks—namely, the Cyber Resilience Act (CRA), SSDF, SLSA, and the Open Source Project Security Baseline (OSPSB). Stay tuned for more updates!

GitLab Machine Identity Support

Now, you can connect your GitLab—and soon GitHub and Azure DevOps—directly to our platform without needing a separate Chainloop Token to push artifacts and evidence.

We take care of the details by securely storing your integration context and ensuring that your repository or CI/CD pipeline is authorized to send data. This streamlined process helps you get up and running quickly, so your team can focus on their core work. Learn more about keyless attestations in GitLab here.

Enhanced Attestation Verification Process

At Chainloop, we're continuously refining our processes to ensure your attestations are both secure and easy to verify. Here’s what’s new:

• Sigstore Attestation Bundle Adoption: Your attestations are now stored in the Sigstore bundle format, which includes all necessary verification materials. This makes offline verification straightforward and ensures compatibility with other tools.
• Timestamp Service Integration: We now send your attestation signature to a trusted timestamp service (TSA) and include its signature in the bundle. This extra step further reinforces the integrity of your evidence.
• Downloadable Verification Material: For signing methods that support it—like keyless signing with ephemeral certificates—you can now download the verification material used during signing. This allows you to verify attestations with confidence later on.
• New Verification Command: We’ve introduced a new CLI command, chainloop attestation verify, to simplify local verification of attestation bundles.

For more details on our attestation process, check out our signing documentation.

Upcoming Vulnerability Management and SCA Capabilities

As part of Chainloop Labs, we’re excited to introduce vulnerability management and Software Composition Analysis (SCA) features. We’re currently seeking design partners to refine these capabilities further. Today’s highlights allow you to:

• Automatically create and enrich SBOMs, then validate them against our quality gates and policies.
• Continuously scan for vulnerabilities, aggregate the findings, and keep you informed.
• Quickly assess vulnerabilities and generate VEX files—streamlining communication and reducing the need for multiple manual steps.
• Easily share reports on your vulnerability management posture, with all evidence (SBOMs, vulnerability reports, and VEX files) securely stored, signed, and interconnected in our evidence store.

Ready to Get Started?

We hope these updates help you manage compliance without friction. If you have any questions about our new vulnerability management tools or need more details on any of these changes, please contact our team!

‍