chainloop

chainloop copied to clipboard

As part of the effort of enabling an automatic way of attesting a GitHub release page, Chainloop internally releases its binaries using `goreleaser` and attests the internal output. Ideally that...

javirln

Chainloop allows to add materials to a contract that are not part of the specification. On the summary of the attestation those are mixed with the materials that actually belong...

javirln

Discuss moving this functionality upstream from labs.

migmartri

With the changes introduced on https://github.com/chainloop-dev/chainloop/releases/tag/v0.86.0 we added support for CycloneDX 1.6 The truth is that Chainloop supports not only CycloneDX SBOM files but also: HBOM, CBOM, SaasBOM and OBOM....

javirln

Check how feasible it is to create a new material type for signatures (.sig). See an example from Chainloop GitHub releases auto discovery: https://github.com/chainloop-dev/chainloop/actions/runs/9222802191/job/25374709147

javirln

We want to review the retry/timeout configuration in the CLI, for both connections to the controlplane and for the CAS.

migmartri

Currently, `chainloop att add` is a sync process, we should document how uploads could be made async. From bash redirections to multi-job with shared remote crafting state

migmartri

Currently, you can check chainloop attestation output against an OPA policy with `conftest` for example in a CI runner. We would like to explore how this control gate feature could...

migmartri

As a follow up of https://github.com/chainloop-dev/chainloop/issues/796, we will add the used CLI version and digest to the local crafting state, so that potential issues can be easily debugged. We would...

jiparis

The chainloop attestation CLI has an optional behavior called enabled via `--graceful-exit` that makes the CLI not fail In those cases, we might still want to know that the command...

migmartri