Seamless Collaboration Across Dev, Sec, Ops, Legal and Compliance

Frameworks provide a way to declaratively encode compliance controls. Chainloop provides a set of pre-built frameworks that can be directly applied to projects. Frameworks are composed of multiple requirements, which can be written in natural language (for example, “container images must be signed”).

Chainloop includes built-in support for common compliance frameworks like NIST, CRA, DORA, SSDF, SLSA, and more. Teams can also create and manage their own private frameworks and requirements.

Compliance data is tracked over time to provide historical views of project health. Exceptions are supported, can be added, and are automatically recorded in the audit log.

Chainloop provides a dedicated endpoint for Prometheus instances to fetch metrics, such as the status of the last run and its duration. By combining this Prometheus endpoint with Grafana or other visualization tools, Chainloop makes it possible to create graphs, dashboards and alerts for CI/CD workflows automatically and in a standardized way.

Chainloop also comes with ready-made integrations for notifications in email, Slack, and Discord. These features enable operators to gain real-time insights into their software delivery workflows, and identify and track patterns over time.

To ensure the integrity of the data in Chainloop’s evidence store, Chainloop supports role-based access control (RBAC) at both organization and project levels. Five organization-level roles and two project-level roles are provided, allowing organizations to define permissions at a granular level and reduce the risk of unauthorized access or modifications.

This access control mechanism is supported through all of Chainloop’s interfaces, including the Web dashboard, CLI and REST APIs.

Chainloop can also be configured to automatically onboard users to specific organizations and user groups by leveraging either static or dynamic provisioning through Single Sign-on (SSO) via OpenID Connect (OIDC). Chainloop supports OIDC authentication via Google, GitHub, Auth0 or Azure Active Directory.

Chainloop provides a Web dashboard, a command-line interface (CLI) and a set of REST APIs that Dev, Sec, Ops, Legal and Compliance teams can use to explore and audit evidence, contracts and policies.

• The CLI is the primary interface for developers, enabling them to save attestations and interact with contracts.
• The Web dashboard is intended for non-developers, providing a holistic and centralized view of materials, attestations, policies, contracts and compliance status.
• The APIs make it possible to extend Chainloop and/or integrate Chainloop data with external services and data sources, such as custom PKI solutions or AI tooling.

Access to these interfaces is secured through role-based access control (RBAC), using organization and project roles; the APIs also support keyless OIDC authentication.