• Add automatic detection of Pull Request and Merge Request information during attestation - captures PR/MR metadata including title and description during attestation initialization, automatically gathering context about code review activities. This change introduces a new material type called CHAINLOOP_PR_INFO that’s automatically added to attestations when a PR/MR is detected in the CI/CD environment.
  Copy

  {
      "chainloop.material.evidence.id": "CHAINLOOP_PR_INFO",
      "schema": "https://schemas.chainloop.dev/prinfo/1.0/pr-info.schema.json",
      "data": {
          "platform": "github",
          "type": "pull_request",
          "number": "3621",
          "title": "chore(frontend): fix trust hub loading",
          "description": "This patch fixes the loading skeleton in trust hub graph, without the min height the skeleton wasn't displayed properly (it was almost invisible)",
          "source_branch": "feat/trust-hub-graph-fix",
          "target_branch": "main",
          "url": "https://github.com/chainloop-dev/chainkloop/pull/3621",
          "author": "john"
      }
  }
  
• Add organization setting to restrict project-scoped contract creation - administrators can now prevent project admins from creating project-level contracts, ensuring all contracts are managed at the organization level to prevent contract sprawl

​

Control gates

  apiVersion: chainloop.dev/v1
  kind: Contract
  metadata:
    name: my-workflow
  spec:
    policies:
      materials:
        - ref: critical-policy
          gate: true  # Fail attestation on violations

​

CLI updates

• Add evidence list command to CLI Enterprise Edition - list and filter evidence programmatically from the command line for automation and reporting workflows
  Copy

  # List evidence for a project
  chainloop evidence list --project my-project
  
  # Filter by evidence type
  chainloop evidence list --project my-project --kind SBOM_CYCLONEDX_JSON
  
  

​

Policy engine improvements

• chainloop.evidence built-in function for policy engine - retrieve and query evidence across projects and product versions within Rego policies for advanced compliance scenarios
  Copy

  package main
  import rego.v1
  
  result := {"violations": violations}
  
  violations contains msg if {
    evidence := chainloop.evidence({
      "project_name": "my-project",
      "kind": ["SBOM_CYCLONEDX_JSON"]
    })
  
    count(evidence.result) == 0
    msg := "No SBOM found for project"
  }
  
• chainloop.project_compliance built-in function for policy engine - query compliance requirement evaluations within policies using declarative project and version names for control gate implementations
  Copy

  package main
  import rego.v1
  
  result := {"violations": violations}
  
  violations contains msg if {
    compliance := chainloop.project_compliance({
      "project_name": "my-project",
      "project_version_name": "v1.0.0"
    })
  
    some eval in compliance.evaluations
    eval.status == "fail"
    msg := sprintf("Requirement %s failed", [eval.name])
  }
  

• Fix contract schema: move annotations from metadata to spec - attestation-level annotations now correctly reside in the spec.annotations field instead of metadata.annotations for proper semantic alignment

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: my-workflow
spec:
  annotations:  # Correct location
    - name: release-version
      value: "1.0.0"

• Introduce comments system for requirement evaluations - add comments and justifications to compliance requirement evaluations with markdown support, enabling teams to document decisions, provide context, and collaborate on compliance assessments

​

Platform v0.302.1

​

SLSA 1.2 release

​

Requirement evaluation overrides

• Add skip field to policy group attachments - selectively exclude specific policies from evaluation within a policy group without modifying the group itself, enabling flexible policy enforcement per workflow

apiVersion: chainloop.dev/v1
kind: Contract
metadata:
name: example-contract
spec:
policyGroups:
  - ref: sbom-quality-group
    skip:
      - sbom-present
      - my-other-policy

• Add support for custom built-in functions in the policy Rego engine - extend policy evaluation capabilities with custom builtins for advanced policy scenarios and domain-specific validation logic
  Copy

  package main
  import rego.v1
  
  result := {"violations": violations}
  
  violations contains msg if {
      digest := sprintf("sha256:%s",[input.chainloop_metadata.digest.sha256])
      discovered := chainloop.discover(digest, "")
  
      some ref in discovered.references
      ref.kind == "ATTESTATION"
      ref.metadata.hasPolicyViolations == "true"
  
      msg:= sprintf("artifact belongs to attestation with digest %s, which contains policy violations [name: %s, project: %s, org: %s]", [ref.digest, ref.metadata.name, ref.metadata.project, ref.metadata.organization])
  }
  

• Add branches parameter to the policies specify which branches should be evaluated for compliance, enabling targeted policy enforcement on main/production branches only
• Add branch filtering to runner context gatherer - optimize GitHub branch protection analysis by specifying target branches, reducing API calls and improving performance for repositories with many branches

• Expose has_policy_violations flag in attestation status command - enables CI/CD control gates to fail pipelines based on policy violation status

• Add policy violation filtering to workflow run queries - list and filter workflow runs by policy violation status for better compliance monitoring and reporting

# List only runs with policy violations
chainloop workflow run list --workflow my-workflow --has-violations

# List only runs without policy violations
chainloop workflow run list --workflow my-workflow --no-violations

• Add UI support for preventing workflow creation - organization setting now available in the UI to require explicit workflow creation before attestations, preventing automatic workflow proliferation in automated environments

• Extend chainloop-best-practices framework with Source Code integrity controls - automatically verify branch protection policies, code review requirements, commit signing, and SAST scanning to ensure secure development practices across repositories

• Add --existing-version flag to attestation init command - ensure attestations only associate with pre-existing project versions, preventing accidental version creation during backpatching and packaging workflows

# Fail if version doesn't exist (useful for backpatches)
chainloop att init --workflow sast --project my-project --version v1.2.3 --existing-version

# Error output when version doesn't exist:
# ERR validation error: project version "v1.2.3" not found

• Add CLI commands for project management - create, list, update, describe, and delete projects directly from the command line

# Create a new project
chainloop project create --name my-project --description "My project description"

# List all projects
chainloop project list

• Add CLI commands for project version management - create, list, update, describe, and delete project versions with prerelease/release status control

# Create a new prerelease version
chainloop project version create --project my-project --name v1.0.0

# Create a released version
chainloop project version create --project my-project --name v1.0.0 --is-released

• Add skip_upload capability to workflow contracts - control whether materials are uploaded to CAS while still recording metadata like digest and filename in attestations, enabling efficient attestation of large artifacts already stored externally

# Example
apiVersion: chainloop.dev/v1
kind: Contract
metadata:
  name: my-workflow
spec:
  materials:
    - name: large-binary
      type: ARTIFACT
      skip_upload: true  # Only record metadata, don't upload to CAS
    - name: sbom
      type: SBOM_CYCLONEDX_JSON
      # skip_upload defaults to false - normal upload behavior

• Add organization setting to prevent implicit workflow creation during attestation - workflows must now be explicitly created via CLI when enabled, preventing workflow proliferation in automated environments

chainloop att init --workflow sast --project my-project-2222
ERR creating workflows during the attestation process is disabled for this organization. Please create them in advance or contact your administrator

• Add external policy references support to policy devel eval command - evaluate policies from HTTP/HTTPS URLs (https://...), Chainloop registry (chainloop://policy-name), or local files for flexible policy testing and development workflows

# Evaluate policy from HTTP URL
chainloop policy devel eval --policy https://raw.githubusercontent.com/chainloop-dev/chainloop/main/docs/examples/policies/quickstart/cdx-fresh.yaml --material sbom.json
{
 "result": {
    "violations": [
       "SBOM created at: 2024-01-09T12:00:00Z which is too old (freshness limit set to 30 days)"
    ],
    "skip_reasons": [],
    "skipped": false
 }
}

# Evaluate policy from Chainloop registry
chainloop policy devel eval --policy chainloop://sbom-ntia --material sbom.json
{
 "result": {
    "violations": [
       "missing author",
       "missing supplier for 'AES-256-GCM'",
       "missing supplier for 'ECDH'",
       "missing supplier for 'RSA-2048'",
       "missing supplier for 'SHA384'",
       "missing supplier for 'SHA512withRSA'",
       "missing supplier for 'TLSv1.2'",
       "missing supplier for 'google.com'",
       "missing unique identifier (PURL, CPE, SWID) for 'AES-256-GCM'",
       "missing unique identifier (PURL, CPE, SWID) for 'ECDH'",
       "missing unique identifier (PURL, CPE, SWID) for 'RSA-2048'",
       "missing unique identifier (PURL, CPE, SWID) for 'SHA384'",
       "missing unique identifier (PURL, CPE, SWID) for 'SHA512withRSA'",
       "missing unique identifier (PURL, CPE, SWID) for 'TLSv1.2'",
       "missing unique identifier (PURL, CPE, SWID) for 'google.com'",
       "missing version for 'AES-256-GCM'",
       "missing version for 'ECDH'",
       "missing version for 'RSA-2048'",
       "missing version for 'SHA384'",
       "missing version for 'SHA512withRSA'",
       "missing version for 'TLSv1.2'",
       "missing version for 'google.com'"
    ],
    "skip_reasons": [],
    "skipped": false
 }
}

• Slack webhooks can now be used to send System and Product notifications, in addition to current attestation fan-out messages.

• Add support for attesting container images from local OCI layout directories - enables secure image attestation in air-gapped environments and registry-less deployments without requiring image push to remote registries

# Single image layout (automatic)
chainloop attestation add \
  --name my-app \
  --value /path/to/oci-layout \
  --kind CONTAINER_IMAGE

# Multi-image layout (requires digest selector)
chainloop attestation add \
  --name my-app \
  --value /path/to/oci-layout@sha256:9a7ef86e19... \
  --kind CONTAINER_IMAGE

• Add custom endpoint configuration for Azure Blob Storage CAS backends - enables support for Azure Government Cloud and other sovereign cloud environments by allowing custom endpoint suffixes

• Introduce new contract schema format to align with other compliance resources.
• Add Policy Group management commands in Chainloop CLI Enterprise Edition - store and manage reusable policy groups in the platform with declarative YAML configuration

# Create or update a policy group
chainloop policy-group apply --file sbom-quality.yaml

# List all policy groups
chainloop policy-group list

# Describe a specific policy group
chainloop policy-group describe --name sbom-quality

• Add chainloop workflow contract apply command for declarative contract management - simplifies contract lifecycle by creating or updating contracts from YAML files in a single operation

• Introduce Chainloop CLI Enterprise Edition - proprietary extension of the open-source CLI with additional features and capabilities available in platform paid plans

# Install CLI Enterprise Edition
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- -ee

• Declarative policy management - store and reuse custom policies in the platform with YAML-based configuration and Rego evaluation logic for consistent supply chain security enforcement across workflows
• Advanced runner context - capture and attest CI/CD environment security configuration including branch protection settings, pull request requirements, and commit protection for enhanced compliance verification

• Add Compliance Overview to product view for comprehensive visibility into compliance frameworks and requirements across product versions with drill-down capabilities into underlying projects
• Add Evidence tab to product view for centralized access to all pieces of evidence across product versions, including artifacts, SBOMs, VEX documents, vulnerability reports, and provenance data with advanced filtering capabilities

• Add notification trigger for product releases - receive alerts when new product versions are released

• Expose OpenAPI spec preconfigured for your specific instance of Chainloop You can find it at https://your-backend-instance/openapi.yaml for example here

• Add notifications for aggregated product compliance changes - stay informed about compliance status updates (failures and recoveries)

• Introduce Notification Integrations - send alerts about system status through Microsoft Teams and Email Notifications

• Add Evidence tab to project view for centralized access to all pieces of evidence, including artifacts, SBOMs, VEX documents, vulnerability reports, and provenance data with advanced filtering capabilities

• Add system status page to monitor platform health and view past incidents in real-time

• Introduce Business Units - organize products by department, division, or team for better organizational structure management

• Display user group memberships in the members table with contextual group inspection

• Allow to re-evaluate requirements from existing workflow runs

• Fix GitLab integration authentication issues

• Implement automatic Storage backend health checks every 30 minutes with owner notifications on status changes via Email and Audit Log

• Improve product compliance view with aggregated compliance charts
• Fix CAS backend permission errors when storage cannot be reached

• Add documentation for branch protection policies including GitLab integration

• Allow product-level applicability settings with inheritance to project versions
• Extend banned-licenses policy to support SPDX license expressions

• Allow creating product versions from previous ones - streamlines version management by pre-populating projects and compliance mappings

• Replace bitnami containers with custom builds to address container initialization issues

• Requirements applicability for projects and versions - define which requirements apply to specific projects or versions within a product for tailored compliance management

• Pin project versions on product releases to maintain stable relationships
• Standardize on “pre-release” terminology across the platform

• Enable inviting external users to products
• Add audit entries when adding users/groups to products and projects

• On-prem: New instance-level Admin role for managing organization creation.

• Product version lifecycle management

• Add contextual help links in UI pointing to documentation and RBAC guide

• Ensure at least one Org Owner is present in the organization before leaving