Skip to main content
November 14, 2025
  • Add UI support for preventing workflow creation - organization setting now available in the UI to require explicit workflow creation before attestations, preventing automatic workflow proliferation in automated environments Prevent Workflow Creation UI
November 14, 2025
  • Extend chainloop-best-practices framework with Source Code integrity controls - automatically verify branch protection policies, code review requirements, commit signing, and SAST scanning to ensure secure development practices across repositories Best Practices Framework
November 14, 2025
  • Add --existing-version flag to attestation init command - ensure attestations only associate with pre-existing project versions, preventing accidental version creation during backpatching and packaging workflows
# Fail if version doesn't exist (useful for backpatches)
chainloop att init --workflow sast --project my-project --version v1.2.3 --existing-version

# Error output when version doesn't exist:
# ERR validation error: project version "v1.2.3" not found
November 14, 2025
  • Add CLI commands for project management - create, list, update, describe, and delete projects directly from the command line
# Create a new project
chainloop project create --name my-project --description "My project description"

# List all projects
chainloop project list
November 14, 2025
  • Add CLI commands for project version management - create, list, update, describe, and delete project versions with prerelease/release status control
# Create a new prerelease version
chainloop project version create --project my-project --name v1.0.0

# Create a released version
chainloop project version create --project my-project --name v1.0.0 --is-released
November 11, 2025
  • Add skip_upload capability to workflow contracts - control whether materials are uploaded to CAS while still recording metadata like digest and filename in attestations, enabling efficient attestation of large artifacts already stored externally
# Example
apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: my-workflow
spec:
  materials:
    - name: large-binary
      type: ARTIFACT
      skip_upload: true  # Only record metadata, don't upload to CAS
    - name: sbom
      type: SBOM_CYCLONEDX_JSON
      # skip_upload defaults to false - normal upload behavior
November 11, 2025
chainloop att init --workflow sast --project my-project-2222
ERR creating workflows during the attestation process is disabled for this organization. Please create them in advance or contact your administrator
November 11, 2025
  • Add external policy references support to policy devel eval command - evaluate policies from HTTP/HTTPS URLs (https://...), Chainloop registry (chainloop://policy-name), or local files for flexible policy testing and development workflows
# Evaluate policy from HTTP URL
chainloop policy devel eval --policy https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/examples/policies/quickstart/cdx-fresh.yaml --material sbom.json
{
 "result": {
    "violations": [
       "SBOM created at: 2024-01-09T12:00:00Z which is too old (freshness limit set to 30 days)"
    ],
    "skip_reasons": [],
    "skipped": false
 }
}

# Evaluate policy from Chainloop registry
chainloop policy devel eval --policy chainloop://sbom-ntia --material sbom.json
{
 "result": {
    "violations": [
       "missing author",
       "missing supplier for 'AES-256-GCM'",
       "missing supplier for 'ECDH'",
       "missing supplier for 'RSA-2048'",
       "missing supplier for 'SHA384'",
       "missing supplier for 'SHA512withRSA'",
       "missing supplier for 'TLSv1.2'",
       "missing supplier for 'google.com'",
       "missing unique identifier (PURL, CPE, SWID) for 'AES-256-GCM'",
       "missing unique identifier (PURL, CPE, SWID) for 'ECDH'",
       "missing unique identifier (PURL, CPE, SWID) for 'RSA-2048'",
       "missing unique identifier (PURL, CPE, SWID) for 'SHA384'",
       "missing unique identifier (PURL, CPE, SWID) for 'SHA512withRSA'",
       "missing unique identifier (PURL, CPE, SWID) for 'TLSv1.2'",
       "missing unique identifier (PURL, CPE, SWID) for 'google.com'",
       "missing version for 'AES-256-GCM'",
       "missing version for 'ECDH'",
       "missing version for 'RSA-2048'",
       "missing version for 'SHA384'",
       "missing version for 'SHA512withRSA'",
       "missing version for 'TLSv1.2'",
       "missing version for 'google.com'"
    ],
    "skip_reasons": [],
    "skipped": false
 }
}
November 06, 2025
  • Slack webhooks can now be used to send System and Product notifications, in addition to current attestation fan-out messages. Slack Notification
November 03, 2025
  • Add support for attesting container images from local OCI layout directories - enables secure image attestation in air-gapped environments and registry-less deployments without requiring image push to remote registries
# Single image layout (automatic)
chainloop attestation add \
  --name my-app \
  --value /path/to/oci-layout \
  --kind CONTAINER_IMAGE

# Multi-image layout (requires digest selector)
chainloop attestation add \
  --name my-app \
  --value /path/to/oci-layout@sha256:9a7ef86e19... \
  --kind CONTAINER_IMAGE
  • Add custom endpoint configuration for Azure Blob Storage CAS backends - enables support for Azure Government Cloud and other sovereign cloud environments by allowing custom endpoint suffixes Azure Blob Endpoint Configuration
October 31, 2025
# Create or update a policy group
chainloop policy-group apply --file sbom-quality.yaml

# List all policy groups
chainloop policy-group list

# Describe a specific policy group
chainloop policy-group describe --name sbom-quality
  • Add chainloop workflow contract apply command for declarative contract management - simplifies contract lifecycle by creating or updating contracts from YAML files in a single operation
October 28, 2025
  • Introduce Chainloop CLI Enterprise Edition - proprietary extension of the open-source CLI with additional features and capabilities available in platform paid plans
# Install CLI Enterprise Edition
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- -ee
Key features include:
  • Declarative policy management - store and reuse custom policies in the platform with YAML-based configuration and Rego evaluation logic for consistent supply chain security enforcement across workflows
  • Advanced runner context - capture and attest CI/CD environment security configuration including branch protection settings, pull request requirements, and commit protection for enhanced compliance verification
October 25, 2025
  • Add Compliance Overview to product view for comprehensive visibility into compliance frameworks and requirements across product versions with drill-down capabilities into underlying projects Product Compliance
  • Add Evidence tab to product view for centralized access to all pieces of evidence across product versions, including artifacts, SBOMs, VEX documents, vulnerability reports, and provenance data with advanced filtering capabilities Product Evidence Tab
October 22, 2025
  • Add notification trigger for product releases - receive alerts when new product versions are released
October 21, 2025
  • Expose OpenAPI spec preconfigured for your specific instance of Chainloop You can find it at https://your-backend-instance/openapi.yaml for example here
October 20, 2025
  • Add notifications for aggregated product compliance changes - stay informed about compliance status updates (failures and recoveries) Product notifications
October 17, 2025
October 15, 2025
  • Add Evidence tab to project view for centralized access to all pieces of evidence, including artifacts, SBOMs, VEX documents, vulnerability reports, and provenance data with advanced filtering capabilities Evidence Tab
October 10, 2025
  • Add system status page to monitor platform health and view past incidents in real-time Status Page
October 09, 2025
  • Introduce Business Units - organize products by department, division, or team for better organizational structure management Business Units
September 15, 2025
  • Display user group memberships in the members table with contextual group inspection User groups
September 13, 2025
  • Allow to re-evaluate requirements from existing workflow runs Recalculate compliance
September 12, 2025
  • Fix GitLab integration authentication issues
September 09, 2025
  • Implement automatic Storage backend health checks every 30 minutes with owner notifications on status changes via Email and Audit Log Storage health check
September 04, 2025
  • Improve product compliance view with aggregated compliance charts Compliance
  • Fix CAS backend permission errors when storage cannot be reached
September 03, 2025
September 02, 2025
  • Allow product-level applicability settings with inheritance to project versions Product applicability inheritance
  • Extend banned-licenses policy to support SPDX license expressions
August 29, 2025
  • Allow creating product versions from previous ones - streamlines version management by pre-populating projects and compliance mappings Prefill version
August 28, 2025
  • Replace bitnami containers with custom builds to address container initialization issues
August 27, 2025
  • Requirements applicability for projects and versions - define which requirements apply to specific projects or versions within a product for tailored compliance management Applicability
August 25, 2025
  • Pin project versions on product releases to maintain stable relationships Product release
  • Standardize on “pre-release” terminology across the platform
August 18, 2025
  • Enable inviting external users to products
  • Add audit entries when adding users/groups to products and projects Invite new members
August 15, 2025
August 14, 2025
  • Product version lifecycle management Product versions
August 8, 2025
  • Add contextual help links in UI pointing to documentation and RBAC guide
July 18, 2025
  • Ensure at least one Org Owner is present in the organization before leaving
Refer to this collection of blog posts for additional historical changes.