chainloop
chainloop copied to clipboard
chainloop-dev
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
Currently they are hardcoded but it might make sense to make them a built-time setting so users can customize them accordingly and build their own binaries.
We could look into supporting accepting the default zip file and look inside the json for @programname to identify the material type. It must support both simple and full scans...
example [twistcli-results-1.1.26-development.263.json](https://uploads.linear.app/81dd9680-e8d5-4393-8e29-c3f90e44a95e/ca3f7a6f-6ff8-4f95-acc5-6744de9d46e9/0207f656-1203-4439-b58d-325be5c4539a?signature=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiLzgxZGQ5NjgwLWU4ZDUtNDM5My04ZTI5LWMzZjkwZTQ0YTk1ZS9jYTNmN2E2Zi02ZmY4LTRmOTUtYWNjNS02NzQ0ZGU5ZDQ2ZTkvMDIwN2Y2NTYtMTIwMy00NDM5LWI1OGQtMzI1YmU1YzQ1MzlhIiwiaWF0IjoxNzI4MDc3OTA0LCJleHAiOjMzMjk4NjM3OTA0fQ.N9NY8Mx1AAmTLjsIKWwDJzklgg3GUTvtp_26uCQmLzM)
This PR adds a new endpoint to query remote policy groups through the providers API. Note that configuration is done through the existing `policy_providers` key, but `/policies` and `/groups` is...
Add support for SCA output from blackduck in JSON format.
Chainloop is currently using the [HTTP interface](https://docs.keyfactor.com/signserver/latest/client-http-interface) (older) for signing. However, it's advised to use the new [REST interface](https://docs.keyfactor.com/signserver/latest/rest-interface) that provides the verification material after signing. This provides easier verification...
The default policy evaluations output in attestation describe is confusing 
### **Proposal: Integrating SBOM and Attestations with Backstage through a Chainloop Extension** ### Context: I recently developed a version matrix plugin for Backstage that presents package listings for different package...
Given this material `example1.json`: ``` [] ``` We get a panic when adding it to an attestation: ``` > cl att add --value example1.json WRN API contacted in insecure mode...
protovalidate now supports defining shared rules, we could use it for our `name` validation https://github.com/bufbuild/protovalidate/pull/246
Metadata
Owner
Metadata
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.