Platform v1.75.1
This release rounds out the AI coding governance story — the [AI Coding Foundation](/concepts/ai-coding-sessions) dashboard is now generally available, [`chainloop trace`](/guides/chainloop-trace) gains Cursor support, [salt](/reference/builtin-functions) reports gain SARIF output, and auto-remediation grows a remediability gate. Plus a redesigned integrations page, supply-chain-friendly CLI install dialog, and dozens of polish fixes. ## AI Coding Governance — From Adoption to Compliance Our recent [AI Coding Governance post](https://chainloop.dev/blog/ai-coding-governance-adoption-to-compliance/) walks through the four pillars Chainloop now provides for governing agentic coding: adoption visibility, framework-driven enforcement, developer integration on the PR, and the [AI Session Score](/reference/ai-score). This release advances each one — the [AI Coding Foundation](/concepts/ai-coding-sessions) dashboard is now available to every organization, and the surfaces around it keep maturing. **AI Coding Foundation Dashboard for Everyone** — The dashboard now ships to all organizations with a guided empty state, so new teams can see exactly what to instrument before sessions start flowing in. The layout has also been adapted to the flat SDLC structure for a cleaner, more navigable view alongside the rest of your delivery surfaces. **Frameworks, Controls, and Policies** — AI sessions and configs are first-class evidence, governed by the same framework / control / policy model used for SBOMs and container images. Auditors read frameworks (SLSA, NIST SSDF, AI Readiness); engineers ship the Rego. **Governance on the PR** — Every AI-assisted PR gets a summary comment with per-session attribution, files touched, and policy verdicts, plus a `Chainloop AI Policies` check run that can be made a required merge gate. **Aggregated Sessions, with Scores and Policies in View** — Every AI session your org produces now rolls up into a single list with a detail sheet that surfaces transcripts, files touched, and per-session attribution. Session tabs show AI Score and policy counts at a glance, and a new AI Score trend chart on the dashboard tracks quality drift over time. **Cursor Joins the Party** — [`chainloop trace`](/guides/chainloop-trace) now recognizes Cursor as a trace provider alongside Claude Code. Mixed-tool teams get a unified picture without anyone changing how they work. **Smarter Auto-Remediation** — On-demand auto-remediation now gates on an AI remediability verdict — the platform only opens a fix PR when the assessment determines the issue can be safely and effectively resolved, cutting noise on findings that aren't a good fit for automation. **Getting Started** — Run `chainloop trace init` once per repo, commit the config, and AI sessions start flowing in. Full walkthrough in the [Chainloop Trace guide](/guides/chainloop-trace). ## SARIF Output with Posture Gaps and Attacker Mapping The new [`chainloop transform salt`](/command-line-reference/cli-reference) subcommand converts SALT reports into a normalized format for attestation, and now emits **SARIF output** enriched with posture gaps and attacker information — so security teams get exploitable context alongside the findings, not just a list of CVEs. The SARIF flavor plugs straight into the same code-scanning surfaces you already use. ## Redesigned Integrations Page The [integrations](/concepts/integrations) page has been rebuilt around a sheet-detail layout with per-integration documentation panels. Configuring, inspecting, and troubleshooting each integration now happens in context, without bouncing between tabs.
## Verified CLI Installs
The [CLI install dialog](/command-line-reference/cli-installation) now shows the pinned CLI version and binary checksums for the active release, so teams can verify what they're installing against a known-good artifact before running the command. Small UX change, meaningful supply-chain story.
* CLI-version-aware policy resolution — backend now resolves policies and policy groups against the CLI version producing the attestation, so contract evolution stays compatible with older clients
* Simplified policy usage examples — policy detail pages now show a single YAML usage example, dropping the JSON variant for clarity
* Manual SAML SSO authentication — log in directly with SAML credentials when the IdP doesn't push, complementing the [SAML SSO](/guides/deployment/guides/saml-idp) launch
* Responsive narrow viewports — frontend layout adapts cleanly on smaller screens and split panes
* Simplified policy usage examples — policy detail pages now show a single YAML usage example, dropping the JSON variant for clarity
* Manual SAML SSO authentication — log in directly with SAML credentials when the IdP doesn't push, complementing the [SAML SSO](/guides/deployment/guides/saml-idp) launch
* Responsive narrow viewports — frontend layout adapts cleanly on smaller screens and split panes
* CLI AI attribution is now preserved across rebase and force-push operations
*CLI Git hooks install in the common dir when working in git worktrees, so trace works across all worktree branches
*CLI Git hook install always runs during agent session tracking
*Frontend Assessment actions are hidden from users with project-viewer permissions
*Frontend Edit button is disabled while an auto-assessment is running, preventing concurrent edits
*Frontend Auto-assessment button correctly shows disabled when no repository is linked
*Frontend Project version now appears in the workflow run breadcrumb
*Frontend Repository row in AI session detail sheet uses full width; padding above tabs removed
*Frontend AI dashboard help link points to the AI Coding Sessions concept page
*Frontend AI Score trend chart shows hours on the X axis for 24h ranges
*Frontend Compliance scroll tracking and latest-version badge contrast stabilized
*Frontend Duplicate policies header removed from workflow run details; warning badge contrast improved in light mode
*Frontend Vulnerability search filters guard against undefined fields; trusthub preview positioning fixed
*Frontend Help icon link added to products page; spurious comma removed from risk assessment status
*Compliance Compliance caches now purge synchronously on override mutations
*Compliance Compliance search hides frameworks with no matching results
*Compliance Auto-assessment is scoped to the affected artifact instead of the full project
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
**Commit-msg Hook for Trailers** — A new commit-msg hook automatically declares AI session trailers on commits, so attestations pick up the right session even when sessions span multiple commits.
**Smarter Code Attribution** — Trace now ignores generated code in attribution counts, persists per-session file changes and commits, and respects `.gitattributes` linguist-generated rules so vendored or generated paths don't skew metrics.
## AI Risk Assessment Workflow
Risk assessments are now a first-class workflow with collaboration, revisions, and remediation. Reviewers can leave [discussions](/guides/vulnerability-management) on assessments, request revisions, and gate approval on AI-generated recommendations. A re-assess button lets you refresh an assessment when context changes, and on-demand auto-remediation can open a PR with the suggested fix when the project has a linked repository.
**Slack Loop** — Reviewers get pinged in Slack when an assessment needs review, and again when auto-remediation opens a PR — closing the loop without leaving the channel.
**Failed Auto-Assessments Surfaced** — Failed AI assessments are now visible directly in the risk assessment UI so they don't disappear silently.
## SAML SSO Login
Chainloop Platform now supports Enterprise-level SSO through [SAML](/guides/deployment/guides/saml-idp) against your corporate identity provider.
## Project Security v2
The redesigned [project security tab](/guides/vulnerability-management) is now the default for organizations on the labs track, with the legacy view still available side-by-side during the transition. Active-finding filters, summary tiles that link straight to filtered views, and a vulnerability management help link make triage faster.
## Findings, MCP, and Notifications
Findings are now first-class across the platform. A new [`chainloop.findings`](/reference/builtin-functions) Rego builtin lets you reference findings directly from policies, and the [MCP server](/reference/mcp-server) exposes findings to AI assistants.
**High-Severity Slack Alerts** — New high-severity findings now trigger Slack [notifications](/concepts/notifications), and `FINDING_CREATED` events are deduplicated across project versions so you stop getting paged twice for the same issue.
## Native Slack App Integration
Connect your Slack workspace directly to Chainloop with the new native Slack App [integration](/concepts/integrations). Once connected, you can pick specific channels for [notifications](/concepts/notifications) — no more configuring webhook URLs manually.
**Channel Picker** — Browse and select Slack channels from a searchable dropdown directly in the notification settings UI.
**Rich Notifications** — The Slack App supports structured notification messages with actionable context about attestation events, policy violations, and compliance updates.
## GitLab App Integration
Chainloop now supports a native GitLab App integration for connecting your GitLab repositories. This complements the existing GitHub integration and enables teams using GitLab to benefit from the same repository-project linking, [keyless attestations](/guides/gitlab-keyless), and source control visibility.
## UI Refresh
This release brings a comprehensive visual refresh across the platform — redesigned tables, tabs, buttons, inputs, badges, and sheet layouts for a more polished experience.
**Policies Page** — The [policies](/concepts/policies) page now uses a grid cell layout, and policies and policy groups are split into separate pages for easier navigation.
**Frameworks Page** — The [compliance frameworks](/concepts/compliance-frameworks) page has been reworked to match the new policies list style.
**Workflow Run Page** — Updated styling for the workflow run detail view.
**Sidebar** — Hover over the collapsed sidebar to preview navigation items without expanding it.
This gives security teams visibility into how AI agents are set up across the organization — detecting hardcoded secrets in configurations, enforcing allowlists for approved MCP servers, validating instruction quality, and preventing privilege escalation in subagent configurations.
This release ships with **12 built-in [AI governance policies](/reference/policies)** covering MCP server allowlists, instruction quality, subagent permissions, architecture documentation, and more — see the full list in the New Policies section below.
Read the [collection guide](/guides/ai-config-collector) to get started, or see the [full blog post](https://chainloop.dev/blog/agentic-coding-support/) for the vision behind AI agent governance in your supply chain.
## Ask Chainloop
[Ask Chainloop](/concepts/ask-chainloop) is a native natural language interface embedded directly in the web UI. It goes beyond simple data discovery — you can browse your organization's supply chain data, query compliance status, write [policies](/concepts/policies), create [contracts](/concepts/contracts), configure your instance, and more. Press `Cmd+K` (or `Ctrl+K`) to open it from any page.
## Repository-Project Linking & Keyless RBAC
[Keyless attestations](/guides/github-keyless) can now be configured with authorization per project. Enrolled repositories must be connected to a project for keyless attestations to be accepted — giving security teams fine-grained control over which CI/CD pipelines can produce evidence for each project. This means different repositories can have different access levels, and attestations from repositories not linked to a project are rejected automatically. See the [GitHub keyless](/guides/github-keyless) and [GitLab keyless](/guides/gitlab-keyless) guides to get started.
## Rich Evidence Visualization
Browse the content of your [evidence](/concepts/material-types) directly in the platform — no downloads required. New rich viewers let you inspect container image details, pull request metadata, AI agent configuration, and more without leaving the interface.
**Container Images** — View pull commands (by tag and digest), provenance, and deployment history directly from the material panel.
**Pull Request Info** — See PR details including branch info, reviewers, approval status, and bot detection — all rendered inline from `CHAINLOOP_PR_INFO` materials.
**AI Agent Configuration** — Browse collected AI agent configuration files, instructions, rules, and skills directly in the evidence panel.
## Compliance Override & Approval Workflows
The [compliance](/concepts/compliance-frameworks) override system now supports uploading evidence files as part of the override process — along with a full approval workflow and visual status indicators. Teams can also require approval for manually submitted evidence before it's used in [compliance evaluations](/concepts/compliance-frameworks), ensuring that manual submissions are validated before being incorporated into your attestation process.
## Product Management Commands
You can now create, update, and organize [products](/concepts/products) directly from the CLI — bringing full product lifecycle management into your terminal and automation scripts. Combined with [`chainloop apply`](/guides/declarative-resource-management), this enables GitOps-style product configuration alongside your existing [workflow](/concepts/workflows) and [contract](/concepts/contracts) definitions.
## Compliance Approval Workflows
Introducing approval workflows for [compliance](/concepts/compliance-frameworks) overrides at both the [product](/concepts/products) and [project](/concepts/projects-versions) level. Teams can now request structured exceptions to compliance requirements — with approvals tracked, auditable, and tied back to the evidence that justifies them. This gives security and compliance teams visibility and control over deviations without blocking delivery.
## Manual Evidence with Justification
You can now submit manual evidence entries with justification-only content — no artifact upload required. This is especially useful for documenting compliance activities like risk acceptances, design reviews, or exception approvals where the evidence is a written rationale rather than a file.
## Requirement Reordering
You can now reorder requirements within custom [compliance frameworks](/concepts/compliance-frameworks) — giving you full control over how your compliance structure is presented and navigated. Drag requirements into the order that makes sense for your team's review process.
## New MCP Server Tools
The [Chainloop MCP server](/reference/mcp-server) now includes `list_contracts` and `describe_contract` tools — making it possible for AI agents and development workflows to discover and inspect [workflow contracts](/concepts/contracts) directly. This brings contract management into AI-assisted automation, so teams can query contract schemas, materials, and policy attachments without leaving their AI toolchain.
With these tools, you can retrieve any contract's full declarative representation — including its materials, policies, policy groups, and runner configuration — directly from an AI assistant or automated workflow. Whether you're auditing a release gate, reviewing what evidence a pipeline collects, or building tooling on top of Chainloop, the contract schema is now just a tool call away.
## Product-Level Compliance Overrides
[Compliance policies](/concepts/compliance-frameworks) can now be overridden at the [product](/concepts/products) level — giving you more granular control over how compliance requirements are applied across your organization. This is especially useful when different products have distinct regulatory needs while sharing a common baseline.
## UI/UX Improvements
We've been investing heavily in the frontend experience. Our component library has been upgraded to a more compact, modern design system, and we've reworked key surfaces — from empty states to the org selector and dark mode — all to reduce visual noise while keeping the information you need front and center.
**Global Search** — A new global search experience lets you quickly find workflows, projects, frameworks, requirements and other resources across your organization from anywhere in the app. Try it out with `CMD + K` or by clicking the search button in the top navbar.
**Version Selector** — A redesigned version selector with dedicated **prerelease** and **release** tabs makes it easier to navigate between versions and understand what's promoted vs. in progress.
**Filtering Across All Lists** — All list pages now offer consistent filtering options, making it easier to find and organize your workflows, projects, and resources — no matter how large your organization grows
**Contracts Diff** — You can now see differences between [contract](/concepts/contracts) revisions at a glance, making it easier to understand what changed between versions.
**Compliance Coverage (Preview)** — An early preview of compliance coverage is now available, showing how your project maps [against compliance frameworks and requirements](/concepts/compliance-frameworks#requirement-coverage-preview). This feature is being actively developed and will be rolling out to all users soon.
**Easier Policy Evaluation Analysis** — [Policy evaluations](/concepts/policies) are now easier to analyze: advanced filtering helps you quickly focus on passed, failed, or skipped policies, and multiple skip reasons or violations are collapsed for a cleaner view.
**CLI Install Script** — The platform now serves a pre-configured CLI install script, so new users can get started with a single command — no manual endpoint configuration needed. Get your CLI with a single click, it is available in the help menu under "About Chainloop"
We've also introduced a top-level `chainloop apply` command for local or CI automation to enable GitOps operations. For more information, refer to our [CLI reference](https://docs.chainloop.dev/command-line-reference/cli-ee-reference).
## Agentic Policies Support
Agentic policies use AI to evaluate supply chain evidence with natural-language prompts. Define what to check in plain English — Chainloop sends the evidence to your configured LLM provider and returns violations, cryptographically signed into the attestation.
Use the built-in `evidence-prompt` policy for a zero-code experience, or call `chainloop.evidence_prompt` from custom policies for more control. Read more in the [LLM Policies guide](/guides/llm-policies).
```yaml theme={"dark"}
apiVersion: chainloop.dev/v1
kind: Contract
metadata:
name: check-build
spec:
policies:
attestation:
- ref: evidence-prompt
with:
prompt: "Check that all container images referenced in this attestation come from a trusted registry (e.g. ghcr.io or docker.io/chainloop)"
materials:
- ref: evidence-prompt
with:
prompt: "Analyze this SBOM and report any components with non-OSS compatible licenses such as AGPL, SSPL, or proprietary licenses"
materials:
- type: SBOM_CYCLONEDX_JSON
name: my-sbom
```
Our enterprise customers can use their own LLM provider by bringing an API key and configuring an [LLM integration](/concepts/integrations). Chainloop supports Anthropic and OpenAI (including OpenAI on Microsoft Foundry); see the [LLM support reference](/reference/llm-support) for details.
## Policy Engine Improvements
The policy engine is the core of Chainloop's control and quality gate capabilities. Our SDK comes packed with new features:
* [Attestation phases](/concepts/policies#attestation-phases) let you control when attestation-level policies are evaluated during the attestation lifecycle.
* [Policy-level gate override](/concepts/policies#configuring-enforcement) — The `gate` property in policy attachments now supports `gate: false` to explicitly disable enforcement for a specific policy, overriding the organization-wide control gate setting.
* [`chainloop.download_artifact`](/reference/builtin-functions#chainloopdownload_artifact) — A Rego builtin function that downloads an artifact from Chainloop's CAS directly into the policy evaluation context.
```bash theme={"dark"}
$ chainloop attestation verify --bundle ~/Downloads/f156d02.json
INF attestation verified successfully
```
* **Docker Compose for local evaluation**: A [Docker Compose setup](/guides/evaluate-platform#local-docker-compose) is now available for quick local evaluation of the platform. Contact the Chainloop team to get started.
Product-scoped requirements accept manual evidence submissions, but they don't yet support automated compliance from attestations.
* **Product compliance filters** now affects to the compliance status charts, reflecting the status of what users have selected.
* **Requirement Lifecycle Management** - mark requirements as `Active` or `Inactive` to control which ones are evaluated in your compliance assessments. Inactive requirements don't count toward your scores, making it easy to track requirements you're still defining without impacting your current compliance status. Learn more about [managing requirement lifecycles](/concepts/compliance-frameworks#requirement-lifecycle-management) in frameworks.
It can be deactivated by passing the flag `deactivate-ci-report` to the command.
Configure in Platform [Storage Backends Section](https://app.chainloop.dev/cas-backends) or using CLI:
```bash theme={"dark"}
chainloop cas-backend update oci --name [BACKEND_NAME] --fallback=true
```
**Requirements Auto-Matching Control**: Organizations can now [deactivate automatic matching of policies to compliance requirements](/concepts/compliance-frameworks#deactivating-requirements-auto-matching), enforcing explicit requirement declarations in workflow contracts for tighter control over compliance mappings.
When deactivated, only policies with explicit `requirements` declarations in contracts will be matched to framework requirements, ensuring intentional and explicit associations.
This can also be configured via CLI EE:
```bash theme={"dark"}
chainloop org update --name [ORG_NAME] --disable-requirements-auto-matching
```
## Requirement evaluation overrides
You can now manually override the evaluation status of compliance requirements with justification. This enables teams to document exceptions and provide context when requirements cannot be met through automated means.
Overrides are available in both project and product evaluation views. When a requirement is overridden, the status badge changes to "Status Overridden" and displays the justification below the evaluation header. Overrides are also included in the product compliance API response for programmatic access.
* Add [Evidence](/concepts/products#evidence-tab) tab to product view for centralized access to all pieces of evidence across product versions, including artifacts, SBOMs, VEX documents, vulnerability reports, and provenance data with advanced filtering capabilities
* Fix CAS backend permission errors when storage cannot be reached
* Extend `banned-licenses` policy to support SPDX license expressions
* Standardize on "pre-release" terminology across the platform
