chainloop
chainloop copied to clipboard
chainloop-dev
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
Currently, metadata attached to an attestation are called `materials` in Chainloop. This term is extracted from [slsa provenance model](https://slsa.dev/provenance/v0.1) in which case the term makes sense since such materials are...
We should document a step by step guide of how to create a plugin. We could use the `Discord` plugin as an example. This guide can be later on added...
```[tasklist] ### Tasks - [ ] Review and improve our plugin [Readme files](https://github.com/chainloop-dev/chainloop/tree/main/app/controlplane/plugins/core) to improve consistency - [ ] Update the template [Readme.md](https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/core/template/v1/README.md) to define the blueprint and sections ```
Artifact uploading has a download/upload progress bar but it seems that it is not showing during artifact upload in the context of `attestation add` https://github.com/chainloop-dev/chainloop/actions/runs/5309839195/jobs/9611138088
For the UI frontend we have enabled `grpc-web` in the backend via [improbable-eng/grpc-web](https://github.com/improbable-eng/grpc-web), which has been deprecated in favor of the official grpc-web support This means to a) find a...
Chainloop control plane has a mechanism to forward received DSSE attestation envelopes or SBOMs to different backends, i.e OCI registry or Dependency-Track.  This means that conceptually both OCI registries...
The extensions SDK should support custom errors that tweak two aspects a) Error message exposure / logging / alerting b) retry nature For example - validation error: A validation error...
Currently, our go-releaser setup will create a pre-defined GitHub release which body is just the Changelog ([example](https://github.com/chainloop-dev/chainloop/releases/tag/v0.9.1)) go-releaser [has a mechanism](https://goreleaser.com/customization/release/) to add additional templates to the release body that...
Currently, no verification is done when an attestation is received in the control plane. Creation and validation checks are done in the client side, but not on the server side....
Chainloop, currently has a mechanism to send attestation and artifact metadata to third party-integrations such an OCI registry (attestation) and Dependency-Track (CycloneDX SBOM).  It's implementation today happens in the...
Metadata
Owner
Metadata
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.