Introduction
Chainloop continues to raise the bar, and we're excited to announce a new enhancement in our latest release. With a strong commitment to streamlining compliance and security processes, Chainloop introduces support for Azure DevOps Pipelines.
This integration empowers development teams to enforce attestation within the context of Azure DevOps Pipelines, ensuring compliance across the software supply chain. Users now have the ability to specify the context of the CI runner where attestation should take place. They can use an optional runner type parameter in the workflow contract, as illustrated in the example below:
schemaVersion: v1
materials:
- type: CONTAINER_IMAGE
name: skynet-control-plane
envAllowList:
- CUSTOM_VAR
runner:
type: "AZURE_PIPELINE"
The documentation for this integration can be found here.
Impact on the Attestation Process
Adding the runner type to the contract initiates several consequential enhancements to the attestation process:
- Contextual Enforcement: The attestation process must be executed within the specified runner type unless the --dry-run flag is set during initialization.
- Enhanced Visibility: A link to the workload is recorded within both the attestation and the control plane during initialization, improving traceability.
- Extended Insights: Additional environment variables are automatically integrated into the attestation process, supplementing those defined in the envAllowList contract. These variables, such as BUILD_REPOSITORY_URI and BUILD_BUILDNUMBER, offer deeper insights.
Conclusion
Chainloop's latest release reinforces its commitment to providing a seamless software supply chain management experience. The support for Azure DevOps Pipelines introduces a valuable layer of integration, empowering users to enforce attestations within the context of their preferred CI/CD platform. Stay connected with Chainloop as we continue to innovate and provide tools that empower developers to navigate the complex landscape of software supply chain security with confidence.
