Continuous Compliance

Frameworks provide a way to declaratively encode compliance controls. Chainloop provides a set of pre-built frameworks that can be directly applied to projects. Frameworks are composed of multiple requirements, which can be written in natural language (for example, “container images must be signed”).

Chainloop includes built-in support for common compliance frameworks like NIST, CRA, DORA, SSDF, SLSA, and more. Teams can also create and manage their own private frameworks and requirements.

Compliance data is tracked over time to provide historical views of project health. Exceptions are supported, can be added, and are automatically recorded in the audit log.

Chainloop provides a curated set of policies tailored to common compliance controls, such as SBOM sanity checks, artifact signature verification, license checks, code quality and coverage checks, CVE scans, and many more. Both built-in policies and custom policies are supported.

The results of policy evaluations are stored in Chainloop’s evidence store and can be queried through the user interface. Policies are written in Rego and can be used to evaluate individual materials or the whole attestation document.

Policies are also reusable: this enables security, compliance and legal teams to define global rules (for example, “no GPL dependencies”) and have them enforced consistently across different products.

Chainloop enables Dev, Sec, and Ops teams to create declarative contracts requiring one or more pieces of evidence (e.g. artifacts, SBOMs, reports) to be attached during the SDLC lifecycle. Contracts connect evidence with policies, and Chainloop uses these contracts to verify provenance and integrity before any release reaches production.

These contracts are immutable, eliminating ambiguity in decision-making and setting a foundation for mutual trust and transparency between teams. Contracts can be applied to multiple workflows, making it easy to reuse and update them across teams and products.