chainloop
chainloop copied to clipboard
chainloop-dev
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
Operators can attach integrations to their workflows, this means that these integrations will get triggered when an attestation is received. The problem with the current implementation is that there is...
**IMPORTANT: This will be potentially superseded by https://github.com/chainloop-dev/chainloop/issues/122** During the attestation process, the CLI will make sure that before crafting, signing and pushing the in-toto attestation to the control-plane, it...
Operators can setup third-party integrations to send materials or attestations once received by the controlplane. These integrations in general are meant to be off-the-shelf i.e dependency-track, guacsec/guac, OCI registry, but...
Currently, DSSE envelopes generated are signed and verified via a asymmetric cosign key. Signing and pushing in the CI ``` chainloop attestation push --key [COSIGN PRIVATE KEY] ``` Verification on...
Currently, once you install or upgrade the Chainloop Helm Chart you get this information ``` ########################################################################### CONFIGURE CLI ########################################################################### Configure the CLI to point to this instance, for example chainloop...
Currently, for development [we leverage](https://github.com/chainloop-dev/chainloop/tree/main/devel) a combination of native execution (`go run`) and `docker compose` for its dependencies. We now have a Helm Chart [deployment template](https://github.com/chainloop-dev/chainloop/tree/main/deployment/chainloop) that not incidentally includes...
We'd like to explore what creating attestations from an ansible playbook could look like and hence adding it to the list of supported runner types. This task is about -...
Chainloop supports two backends to store secrets, `vault` and `aws secrets manager`. The choice of one vs the other can be done via config flags i.e https://github.com/chainloop-dev/chainloop/blob/3ff9be10aa50c3df00cb081f58e8ae8bced00534/app/controlplane/internal/conf/conf.proto#L95-L98 One of the...
It's currently not possible to push an existing annotation to Chainloop without crafting one via Chainloop. The desired behavior would be to allow users to push their own attestations (e.g...
The current tool of choice to browse the TLog is https://rekor.tlog.dev/ I believe Chainloop could provide an alternative that is more in line with its scope of contract and materials...
Metadata
Owner
Metadata
Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.