Automated SDLC Governance

Chainloop provides a remote MCP server that can be used to interact with Chainloop from third-party AI agents. This allows Dev, Sec, Ops, Legal and Compliance to perform complex queries, automatically generate custom compliance reports, or implement agentic workflows.

Currently, Chainloop’s MCP server has been verified to work with Claude Desktop, Cursor, Visual Studio Code, and Dagger.

Chainloop is able to directly collect evidence from existing CI/CD pipelines, automatically capturing all the necessary metadata from the build environment. This evidence then becomes part of the attestation, providing auditable evidence of security controls in build/deployment environments.

Chainloop can capture data from all popular CI/CD systems, including GitHub Actions, GitLab CI/CD, Jenkins, CircleCI and TeamCity. The data captured include:

• Branch protection settings: required status checks, push restrictions, review dismissal policies, and enforcement rules
• Request configurations: required reviewers, review dismissal rules, and branch update requirements
• Commit protection details: signing requirements, status check policies, and custom protection rules

Chainloop provides a dedicated endpoint for Prometheus instances to fetch metrics, such as the status of the last run and its duration. By combining this Prometheus endpoint with Grafana or other visualization tools, Chainloop makes it possible to create graphs, dashboards and alerts for CI/CD workflows automatically and in a standardized way.

Chainloop also comes with ready-made integrations for notifications in email, Slack, and Discord. These features enable operators to gain real-time insights into their software delivery workflows, and identify and track patterns over time.

Chainloop provides a curated set of policies tailored to common compliance controls, such as SBOM sanity checks, artifact signature verification, license checks, code quality and coverage checks, CVE scans, and many more. Both built-in policies and custom policies are supported.

The results of policy evaluations are stored in Chainloop’s evidence store and can be queried through the user interface. Policies are written in Rego and can be used to evaluate individual materials or the whole attestation document.

Policies are also reusable: this enables security, compliance and legal teams to define global rules (for example, “no GPL dependencies”) and have them enforced consistently across different products.

Chainloop enables Dev, Sec, and Ops teams to create declarative contracts requiring one or more pieces of evidence (e.g. artifacts, SBOMs, reports) to be attached during the SDLC lifecycle. Contracts connect evidence with policies, and Chainloop uses these contracts to verify provenance and integrity before any release reaches production.

These contracts are immutable, eliminating ambiguity in decision-making and setting a foundation for mutual trust and transparency between teams. Contracts can be applied to multiple workflows, making it easy to reuse and update them across teams and products.