Vulnerability Exploitability Exchange (VEX) and SARIF support

Chainloop is the metadata platform for the Secure Software Supply Chain. It helps SecOps teams collect, store, and distribute pieces of evidence while meeting the latest compliance requirements.

And today, we are happy to announce that Chainloop v0.19.1 expands on that vision by including first class support for SARIFOpenVEX and CSAF VEX pieces of evidence.

In practice, this means that when a developer provides one of these files during an attestation process, Chainloop will:

- Validate that it's the correct format.
- Upload it to the Content Addressable Storage backend of your choice and inject its reference in the attestation.
- Send it to any third-party integration, the operator might have enabled.

To make these pieces of evidence a requirement in an attestation process, just update your workflow contract with something like:

schemaVersion: v1
materials:
 # CSAF_VEX and OPENVEX are supported
 - type: OPENVEX
   name: disclosure
 # And static analysis reports in SARIF format
 - type: SARIF
   name: static-out

VEX in particular, is especially useful in tandem with a Software Bill Of Material (SBOM) document, so you should expect custom integrations leveraging them in Chainloop soon :)

Send feedback our way, and if you like what we do, give our GitHub repository a star and stop by to say hi in our Slack :)