Chainloop is the metadata platform for the Secure Software Supply Chain. It helps SecOps teams collect, store, and distribute pieces of evidence while meeting the latest compliance requirements.
In practice, this means that when a developer provides one of these files during an attestation process, Chainloop will:
- Validate that it's the correct format.
- Upload it to the Content Addressable Storage backend of your choice and inject its reference in the attestation.
- Send it to any third-party integration, the operator might have enabled.
To make these pieces of evidence a requirement in an attestation process, just update your workflow contract with something like:
# CSAF_VEX and OPENVEX are supported
- type: OPENVEX
# And static analysis reports in SARIF format
- type: SARIF
VEX in particular, is especially useful in tandem with a Software Bill Of Material (SBOM) document, so you should expect custom integrations leveraging them in Chainloop soon :)