chainloop
chainloop copied to clipboard
chainloop-dev
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
Executing the policy sbom-with-licenses over the controlplane migrations sbom shows some components without licenses: Violations - Missing licenses for ariga.io/atlas/cmd/atlas (pkg:golang/ariga.io/atlas/[email protected]?package-id=cab9ec0d40a529be#atlas) - Missing licenses for github.com/ariga/language-tools/packages/language-server-go (pkg:golang/github.com/ariga/[email protected]?package-id=b71cbfd2cf76b196#packages/language-server-go) These packages are...
``` This command is will run against the organization "miguel" ``` `is` is not needed.
Chainloop provides automatic detection of CI/CD environments to ensure attestations are created in the correct context and to capture relevant execution metadata. This capability, known as runner context, is essential...
Chainloop currently depends on AWS SDK for Go (v1), which has reached End-of-Life and is no longer maintained by AWS. This may introduce security risks and compatibility issues in the...
## Summary Implemented automatic missing boilerplate injection for rego policies in the engine before policy evaluation. ### Changes - Rego policy engine now detects missing required rules and injects them...
This PR adds validation to contract creation and update, that prevents assigning policies that contain execution path for kind `ATTESTATION` on material level. ## Example: For `sbom-present` policy ``` apiVersion:...
This is an umbrella issue created to track Chainloop's support for Tekton through multiple avenues. - [ ] Chainloop as a storage backend in Tekton Chains - [ ] Tekton...
In https://github.com/chainloop-dev/chainloop/pull/2507 Chainloop got CONTAINER_IMAGE materials coming from local OCI layouts. In some cases, depending on the tool used, there might be some metadata that suits into current CONTAINER_IMAGE Chainloop...
During the attestation process, materials are uploaded to the storage backend through the CAS service. In cases where the attestation fails or is cancelled, those materials are kept forever in...
When using binary data, the `value` field is interpreted as a String, so the GRPC marshaler complains about invalid UTF-8 data: ```bash ➜ head -c 10 /dev/urandom > random.bin ➜...
Metadata
Owner
Metadata
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.