Solutions >For Security Teams

Secure your software supply chain with automated signing and attestation

Supply Chain Security

Enterprise-grade signing, policy enforcement, and supply chain security at scale

The Challenge

Software supply chain attacks are on the rise, targeting vulnerabilities in build pipelines, dependencies, and artifact signing processes. Organizations need a comprehensive approach to secure their software supply chain, but implementing enterprise-grade security controls often introduces friction and slows down development teams.

Traditional approaches to supply chain security are fragmented, requiring teams to manually coordinate between multiple tools and processes. Without automated policy enforcement and centralized visibility, security gaps can emerge at any stage of the software delivery lifecycle.

The Chainloop Solution

Chainloop provides a centralized evidence store for supply chain metadata, attestations, artifacts, and policies. Security, compliance, and risk management teams can enforce policies seamlessly - without slowing down development. Built on open-source standards like SLSA, in-toto, and Open Policy Agent, Chainloop integrates with Keyfactor EJBCA and SignServer to enable automated, enterprise-grade signing.

This ensures policy-driven security and compliance at scale. The Chainloop and Keyfactor solution helps enterprises enforce security and compliance seamlessly, accelerating software delivery through automation, transparency, and policy-driven controls.

Keyfactor Integration

Chainloop’s integration with Keyfactor EJBCA and SignServer provides:

Automated Certificate Lifecycle Management: Seamless integration with Keyfactor’s PKI solutions for automated certificate provisioning and renewal
Enterprise-Grade Code Signing: Leverage Keyfactor SignServer for scalable, secure artifact signing
Policy-Driven Security: Combine Chainloop’s policy engine with Keyfactor’s PKI capabilities for comprehensive supply chain security
Audit Trail: Complete traceability of all signing operations and certificate usage

Supply Chain Security dashboard screenshot

Key Benefits

Why Choose This Solution

Enterprise-grade signing

Automated, enterprise-grade signing with Keyfactor EJBCA and SignServer integration

Policy-driven security

Policy-driven security and compliance at scale

Seamless automation

Seamless integration with existing CI/CD pipelines for automated security controls

Standards-based

Built on open-source standards like SLSA, in-toto, and Open Policy Agent

Accelerated delivery

Accelerate software delivery through automation, transparency, and policy-driven controls

Powered By These Features

Explore our platform

Central Repository and Evidence Store

Chainloop captures artifacts, CI/CD metadata, and compliance evidence, like audit logs, test results, dependency scanning results, compliance reports, SBOMs, signatures, attestations, and more. It stores this data in a centralized, tamper-proof evidence repository, together with rich contextual information.

Every piece of evidence is connected in a traceable graph, providing complete visibility over your software lifecycle. This ensures that decisions are based on verifiable evidence, reports, artifacts, and data.

CI/CD Integration

Chainloop is able to directly collect evidence from existing CI/CD pipelines, automatically capturing all the necessary metadata from the build environment. This evidence then becomes part of the attestation, providing auditable evidence of security controls in build/deployment environments.

Chainloop can capture data from all popular CI/CD systems, including GitHub Actions, GitLab CI/CD, Jenkins, CircleCI and TeamCity. The data captured include:

Branch protection settings: required status checks, push restrictions, review dismissal policies, and enforcement rules
Request configurations: required reviewers, review dismissal rules, and branch update requirements
Commit protection details: signing requirements, status check policies, and custom protection rules

Digital Signing and PKI Integration

Chainloop uses digital signatures with the in-toto framework to protect artifacts and metadata, ensuring a tamper-proof, SLSA-compliant, and verifiable audit trail. Chainloop supports multiple signing methods, including keyed, keyless and custom PKI options.

Signing keys can be sourced from SigStore Cosign, KMS services, PKCS#11, or Kubernetes/GitLab secrets. Chainloop also provides integrations with enterprise PKI solutions like EJBCA and SignServer.

Curated Library of Policies-as-Code

Chainloop provides a curated set of policies tailored to common compliance controls, such as SBOM sanity checks, artifact signature verification, license checks, code quality and coverage checks, CVE scans, and many more. Both built-in policies and custom policies are supported.

The results of policy evaluations are stored in Chainloop’s evidence store and can be queried through the user interface. Policies are written in Rego and can be used to evaluate individual materials or the whole attestation document.

Policies are also reusable: this enables security, compliance and legal teams to define global rules (for example, “no GPL dependencies”) and have them enforced consistently across different products.

Declarative, Immutable Workflow Contracts

Chainloop enables Dev, Sec, and Ops teams to create declarative contracts requiring one or more pieces of evidence (e.g. artifacts, SBOMs, reports) to be attached during the SDLC lifecycle. Contracts connect evidence with policies, and Chainloop uses these contracts to verify provenance and integrity before any release reaches production.

These contracts are immutable, eliminating ambiguity in decision-making and setting a foundation for mutual trust and transparency between teams. Contracts can be applied to multiple workflows, making it easy to reuse and update them across teams and products.

Ready to Get Started?

See how Chainloop can transform your software delivery workflow

Request a Demo View Documentation