Features

Chainloop provides a remote MCP server that can be used to interact with Chainloop from third-party AI agents. This allows Dev, Sec, Ops, Legal and Compliance to perform complex queries, automatically generate custom compliance reports, or implement agentic workflows.

Currently, Chainloop’s MCP server has been verified to work with Claude Desktop, Cursor, Visual Studio Code, and Dagger.

Chainloop captures artifacts, CI/CD metadata, and compliance evidence, like audit logs, test results, dependency scanning results, compliance reports, SBOMs, signatures, attestations, and more. It stores this data in a centralized, tamper-proof evidence repository, together with rich contextual information.

Every piece of evidence is connected in a traceable graph, providing complete visibility over your software lifecycle. This ensures that decisions are based on verifiable evidence, reports, artifacts, and data.

Chainloop is able to directly collect evidence from existing CI/CD pipelines, automatically capturing all the necessary metadata from the build environment. This evidence then becomes part of the attestation, providing auditable evidence of security controls in build/deployment environments.

Chainloop can capture data from all popular CI/CD systems, including GitHub Actions, GitLab CI/CD, Jenkins, CircleCI and TeamCity. The data captured include:

• Branch protection settings: required status checks, push restrictions, review dismissal policies, and enforcement rules
• Request configurations: required reviewers, review dismissal rules, and branch update requirements
• Commit protection details: signing requirements, status check policies, and custom protection rules

Frameworks provide a way to declaratively encode compliance controls. Chainloop provides a set of pre-built frameworks that can be directly applied to projects. Frameworks are composed of multiple requirements, which can be written in natural language (for example, “container images must be signed”).

Chainloop includes built-in support for common compliance frameworks like NIST, CRA, DORA, SSDF, SLSA, and more. Teams can also create and manage their own private frameworks and requirements.

Compliance data is tracked over time to provide historical views of project health. Exceptions are supported, can be added, and are automatically recorded in the audit log.

Chainloop uses digital signatures with the in-toto framework to protect artifacts and metadata, ensuring a tamper-proof, SLSA-compliant, and verifiable audit trail. Chainloop supports multiple signing methods, including keyed, keyless and custom PKI options.

Signing keys can be sourced from SigStore Cosign, KMS services, PKCS#11, or Kubernetes/GitLab secrets. Chainloop also provides integrations with enterprise PKI solutions like EJBCA and SignServer.

Chainloop provides a catalog of built-in evidence types that support most common CI/CD workflows and requirements. These include container images, Helm charts, CSAF advisories, security scan reports, CycloneDX and SPDX SBOMs, DAST reports, SLSA provenance attestations, and many more.

Additionally, teams can define custom evidence types to meet specific requirements.

Chainloop supports the Bring Your Own Storage (BYOS) model via its Content Addressable Storage (CAS) repository, which abstracts away the underlying storage engine. Chainloop can be used with all popular OCI-compliant registries and S3-compatible object storage services.

This enables Ops teams to seamlessly use their existing storage infrastructure with Chainloop, giving them maximum control and flexibility and avoiding vendor lock-in. This feature also enables Sec, Ops, Legal and Compliance teams to explicitly define where data is physically stored, thereby meeting government data localization frameworks and requirements.

Chainloop provides a dedicated endpoint for Prometheus instances to fetch metrics, such as the status of the last run and its duration. By combining this Prometheus endpoint with Grafana or other visualization tools, Chainloop makes it possible to create graphs, dashboards and alerts for CI/CD workflows automatically and in a standardized way.

Chainloop also comes with ready-made integrations for notifications in email, Slack, and Discord. These features enable operators to gain real-time insights into their software delivery workflows, and identify and track patterns over time.

Chainloop provides a curated set of policies tailored to common compliance controls, such as SBOM sanity checks, artifact signature verification, license checks, code quality and coverage checks, CVE scans, and many more. Both built-in policies and custom policies are supported.

The results of policy evaluations are stored in Chainloop’s evidence store and can be queried through the user interface. Policies are written in Rego and can be used to evaluate individual materials or the whole attestation document.

Policies are also reusable: this enables security, compliance and legal teams to define global rules (for example, “no GPL dependencies”) and have them enforced consistently across different products.

To ensure the integrity of the data in Chainloop’s evidence store, Chainloop supports role-based access control (RBAC) at both organization and project levels. Five organization-level roles and two project-level roles are provided, allowing organizations to define permissions at a granular level and reduce the risk of unauthorized access or modifications.

This access control mechanism is supported through all of Chainloop’s interfaces, including the Web dashboard, CLI and REST APIs.

Chainloop can also be configured to automatically onboard users to specific organizations and user groups by leveraging either static or dynamic provisioning through Single Sign-on (SSO) via OpenID Connect (OIDC). Chainloop supports OIDC authentication via Google, GitHub, Auth0 or Azure Active Directory.

Chainloop provides a set of ready-to-use integrations to enrich and operate on the data collected. Integrations are currently available for notifications (email, Slack, Discord), SBOM analysis (Dependency-Track), and dependency mapping (GUAC).

Chainloop’s functionality is also extensible via its plugin system; this enables developers and operators to add custom functionality based on their specific needs.

Chainloop provides a Web dashboard, a command-line interface (CLI) and a set of REST APIs that Dev, Sec, Ops, Legal and Compliance teams can use to explore and audit evidence, contracts and policies.

• The CLI is the primary interface for developers, enabling them to save attestations and interact with contracts.
• The Web dashboard is intended for non-developers, providing a holistic and centralized view of materials, attestations, policies, contracts and compliance status.
• The APIs make it possible to extend Chainloop and/or integrate Chainloop data with external services and data sources, such as custom PKI solutions or AI tooling.

Access to these interfaces is secured through role-based access control (RBAC), using organization and project roles; the APIs also support keyless OIDC authentication.

Chainloop enables Dev, Sec, and Ops teams to create declarative contracts requiring one or more pieces of evidence (e.g. artifacts, SBOMs, reports) to be attached during the SDLC lifecycle. Contracts connect evidence with policies, and Chainloop uses these contracts to verify provenance and integrity before any release reaches production.

These contracts are immutable, eliminating ambiguity in decision-making and setting a foundation for mutual trust and transparency between teams. Contracts can be applied to multiple workflows, making it easy to reuse and update them across teams and products.

Chainloop continuously captures and stores Software Bills of Materials (SBOMs) from CI/CD pipelines (Jenkins, GitHub Actions, GitLab CI/CD, …) and tooling (Trivy, BlackDuck, Checkov, ZAP, SAST, …).

Every SBOM is connected to a release via a traceable graph, providing granular insights for identification, investigation and audit.