Enterprises comprise fragmented, siloed Software Supply Chain practices, artifacts, and tools, making it difficult to introduce security and compliance requirements efficiently in their organizations. This slows down the Software Delivery Process or even blocks it under strict regulations in highly regulated markets.
The Rise Of Platform Engineering
Inspired by the cross-functional cooperation promised by DevOps, platforms, and platform engineering have emerged in enterprises as an explicit form of that cooperation. Platforms curate and present a standardized set of common capabilities.
Evidence Store as Foundational Component
One common capability is providing a pre-defined CI/CD golden path to production that not only meets the goal of shielding the developer from the infrastructure complexity but also ensures the latest security and compliance requirements are met, shifting compliance and security down to the platform.
In practice, it means instrumenting our SDLC to
- Gather more context (metadata) on how we are building software, by the introduction of security practices such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis).
- Secure, contextualize, and enrich this metadata.
- Write policies and evaluate them against the generated metadata.
A common, foundational solution is to create a centralized evidence store for supply chain metadata, attestations, artifacts, and policies. This place is where security, compliance, and risk management teams can gain visibility and define security and compliance policies.
Building your own Evidence Store
We have talked to multiple platform teams that are in the process of or have built in-house solutions based on proprietary or open-source solutions such as OpenSSF and CNCF solutions like SLSA attestations, Sigstore, Open Policy Agent, OCI registry, to mention a few.
But many of these teams struggle with the rollout due to the fragmented reality of the enterprise where:
- They might be using already multiple DevSecOps tools, CI/CD providers, or storage solutions.
- Policies are too low-level for Compliance and Risk Management (CRM) programs, which they rather visualize the security posture of their products, through Compliance frameworks such as FedRAMP, SSDF, Executive Order 14028 (US), the EU Cyber Resilience Act (CRA), and the Digital Operational Resilience Act (DORA).
- Compliance still relies on manual, costly, and inefficient processes, not all metadata is machine readable.
- There are many stakeholders involved in software delivery, and it's hard to make sure there is a clear separation of concerns.
Enterprise-Ready Evidence Store
That’s why we built Chainloop as a bottom-up, extensible solution. It allows you to plug in any tool, CI/CD, or PKI solution you might have and gradually model your security and compliance framework to your spec.
These properties make platform teams love Chainloop; they can focus on instrumenting, collecting, and writing policies, all of which are declaratively implemented as code.
While providing security and compliance teams with a place to define high-level requirements and manage product lifecycles, and compliance posture.
Automating compliance based on verifiable, high-integrity metadata is no longer optional—it’s essential.
An evidence store is a foundational component of any enterprise platform engineering stack, and platform engineering is positioned to take over the task of shifting down compliance and security while maintaining DevOps' core principles of collaboration and automation.
.png)
