Single Source of Truth for DevSecOps

Chainloop provides a remote MCP server that can be used to interact with Chainloop from third-party AI agents. This allows Dev, Sec, Ops, Legal and Compliance to perform complex queries, automatically generate custom compliance reports, or implement agentic workflows.

Currently, Chainloop’s MCP server has been verified to work with Claude Desktop, Cursor, Visual Studio Code, and Dagger.

Chainloop captures artifacts, CI/CD metadata, and compliance evidence, like audit logs, test results, dependency scanning results, compliance reports, SBOMs, signatures, attestations, and more. It stores this data in a centralized, tamper-proof evidence repository, together with rich contextual information.

Every piece of evidence is connected in a traceable graph, providing complete visibility over your software lifecycle. This ensures that decisions are based on verifiable evidence, reports, artifacts, and data.

Chainloop uses digital signatures with the in-toto framework to protect artifacts and metadata, ensuring a tamper-proof, SLSA-compliant, and verifiable audit trail. Chainloop supports multiple signing methods, including keyed, keyless and custom PKI options.

Signing keys can be sourced from SigStore Cosign, KMS services, PKCS#11, or Kubernetes/GitLab secrets. Chainloop also provides integrations with enterprise PKI solutions like EJBCA and SignServer.

Chainloop supports the Bring Your Own Storage (BYOS) model via its Content Addressable Storage (CAS) repository, which abstracts away the underlying storage engine. Chainloop can be used with all popular OCI-compliant registries and S3-compatible object storage services.

This enables Ops teams to seamlessly use their existing storage infrastructure with Chainloop, giving them maximum control and flexibility and avoiding vendor lock-in. This feature also enables Sec, Ops, Legal and Compliance teams to explicitly define where data is physically stored, thereby meeting government data localization frameworks and requirements.

Chainloop provides a dedicated endpoint for Prometheus instances to fetch metrics, such as the status of the last run and its duration. By combining this Prometheus endpoint with Grafana or other visualization tools, Chainloop makes it possible to create graphs, dashboards and alerts for CI/CD workflows automatically and in a standardized way.

Chainloop also comes with ready-made integrations for notifications in email, Slack, and Discord. These features enable operators to gain real-time insights into their software delivery workflows, and identify and track patterns over time.

Chainloop provides a Web dashboard, a command-line interface (CLI) and a set of REST APIs that Dev, Sec, Ops, Legal and Compliance teams can use to explore and audit evidence, contracts and policies.

• The CLI is the primary interface for developers, enabling them to save attestations and interact with contracts.
• The Web dashboard is intended for non-developers, providing a holistic and centralized view of materials, attestations, policies, contracts and compliance status.
• The APIs make it possible to extend Chainloop and/or integrate Chainloop data with external services and data sources, such as custom PKI solutions or AI tooling.

Access to these interfaces is secured through role-based access control (RBAC), using organization and project roles; the APIs also support keyless OIDC authentication.