Meet Chainloop at the Open Source Finance Forum | October 21-22, 2025 | New York
Solutions >For Compliance & Legal
Background lines
Dotted background
Centralize license compliance management across projects and teams

Unified License Risk Management

Enforce license policies and track obligations throughout the SDLC

Unified License Risk Management architecture diagram

The Challenge

According to Black Duck’s 2024 “Open Source Security and Risk Analysis” (OSSRA) report, 97% of applications evaluated for the report contained open source components. While this high level of adoption is encouraging, open source license compliance remains a challenge for enterprises. The report found that 56% of all audited applications had license conflicts, and 33% had open source software components with no license or a customized license.

Similarly, in Perforce OpenLogic’s 2025 “State of Open Source Report”, 60% of respondents identified OSS security and compliance as a top challenge.

The Chainloop Solution

Chainloop aggregates license checks from multiple tools into one platform, offering complete visibility of license risk across projects. It provides a curated set of policies tailored to common compliance controls, including license checks. It enables enterprises to enforce license policies, prevent forbidden/open source license issues, ensure compliance early in the development process, and track license obligations throughout the SDLC.

Unified License Risk Management dashboard screenshot
Key Benefits

Why Choose This Solution

Centralized management

Centralized license compliance management across projects and teams

Tight CI/CD integration

Tight integration with existing CI/CD pipelines to reduce friction

Pre-defined policies

Curated library of pre-defined policies addressing common license compliance requirements

Immutable archive

Immutable, secure and long-term archive of data for audit purposes

Vendor-neutral

Open-source and vendor-neutral, supporting multiple tools and formats

Powered By These Features

Explore our platform

Central Repository and Evidence Store

Chainloop captures artifacts, CI/CD metadata, and compliance evidence, like audit logs, test results, dependency scanning results, compliance reports, SBOMs, signatures, attestations, and more. It stores this data in a centralized, tamper-proof evidence repository, together with rich contextual information.

Every piece of evidence is connected in a traceable graph, providing complete visibility over your software lifecycle. This ensures that decisions are based on verifiable evidence, reports, artifacts, and data.

CI/CD Integration

Chainloop is able to directly collect evidence from existing CI/CD pipelines, automatically capturing all the necessary metadata from the build environment. This evidence then becomes part of the attestation, providing auditable evidence of security controls in build/deployment environments.

Chainloop can capture data from all popular CI/CD systems, including GitHub Actions, GitLab CI/CD, Jenkins, CircleCI and TeamCity. The data captured include:

  • Branch protection settings: required status checks, push restrictions, review dismissal policies, and enforcement rules
  • Request configurations: required reviewers, review dismissal rules, and branch update requirements
  • Commit protection details: signing requirements, status check policies, and custom protection rules

Curated Library of Policies-as-Code

Chainloop provides a curated set of policies tailored to common compliance controls, such as SBOM sanity checks, artifact signature verification, license checks, code quality and coverage checks, CVE scans, and many more. Both built-in policies and custom policies are supported.

The results of policy evaluations are stored in Chainloop’s evidence store and can be queried through the user interface. Policies are written in Rego and can be used to evaluate individual materials or the whole attestation document.

Policies are also reusable: this enables security, compliance and legal teams to define global rules (for example, “no GPL dependencies”) and have them enforced consistently across different products.

Web Dashboard, CLI and API

Chainloop provides a Web dashboard, a command-line interface (CLI) and a set of REST APIs that Dev, Sec, Ops, Legal and Compliance teams can use to explore and audit evidence, contracts and policies.

  • The CLI is the primary interface for developers, enabling them to save attestations and interact with contracts.
  • The Web dashboard is intended for non-developers, providing a holistic and centralized view of materials, attestations, policies, contracts and compliance status.
  • The APIs make it possible to extend Chainloop and/or integrate Chainloop data with external services and data sources, such as custom PKI solutions or AI tooling.

Access to these interfaces is secured through role-based access control (RBAC), using organization and project roles; the APIs also support keyless OIDC authentication.

Related Solutions

For Compliance & Legal

Continuous Compliance

Automate compliance checks and streamline audits

Learn more

For Security Teams

End-To-End SBOM Traceability

Secure, scalable platform for managing Software Bills of Materials

Learn more

Ready to Get Started?

See how Chainloop can transform your software delivery workflow

Request a Demo View Documentation