Platform v1.88.1
This release pushes automation deeper into your software supply chain. Chainloop can now scan repositories, assess the vulnerabilities it finds, and open verified remediation pull requests entirely in managed sandboxes — no CI wiring required — and validate pull requests server-side. A managed LLM gateway with usage credits powers these AI features out of the box, a guided onboarding wizard streamlines project and workflow setup, and the vulnerabilities and risk-assessment experience gets a focused overhaul. ## Automated Security Scanning in Managed Sandboxes Chainloop now runs security scans and AI agents for you in isolated, managed sandboxes — no CI configuration required. When you connect a repository, the platform can automatically scan it, assess the [vulnerabilities](/concepts/vulnerability-management) it finds, and open remediation pull requests, all server-side. **AI Auto-Assessment & Remediation (Preview)** — The Vulnerabilities Agent investigates each finding against your source code, records a signed [risk assessment](/concepts/vulnerability-management#risk-assessments), and can open a fix pull request. Remediation now independently verifies its own fixes before proposing them: dependency and image-digest bumps are re-scanned with grype, and the outcome — resolved, still-present, or unable-to-verify — is reported in a dedicated section of the pull request, so a fix is something Chainloop proves rather than asserts.
**Infrastructure-as-Code Scanning** — A new managed IaC scan task runs [Checkov](https://www.checkov.io) over your source tree and attests the resulting [SARIF report](/concepts/material-types), feeding the existing `iac-misconfiguration` and `iac-scan-present` compliance policies. It honors a `.checkov.yaml` at your repository root.
**Hardened by Design** — Agents that operate over untrusted project code receive a platform security preamble at the provider's system instruction tier, so it outranks any instructions embedded in the code. Each sandbox gets an ephemeral, per-run LLM gateway key, and repository-supplied agent configuration is stripped from untrusted checkouts.
**Automated PR Validation** — Chainloop now validates pull requests server-side, without the `pr-attestation.yml` GitHub Action. When a repository's project has a managed `pr-validation` workflow, each pull request event generates a `CHAINLOOP_PR_INFO` attestation, evaluates [policies](/guides/pr-policies-control-gate) against the pull request metadata, and surfaces the results in the Chainloop PR comment alongside a dedicated **Chainloop PR Validation** GitHub check run.
## Managed LLM Gateway with Usage Credits
Chainloop Cloud now includes a managed LLM gateway backed by a monthly credit pool, so AI-powered features like auto-assessment and remediation work out of the box — no [LLM provider key](/reference/llm-support) required. Each organization gets a credit allowance that draws down as AI capabilities are used, and a usage gauge on the Plan & Billing page shows current spend against the allowance. A structured entitlement catalog makes it clear which capabilities are available on your plan, and bring-your-own-key providers are never metered or gated.
## Project & Workflow Onboarding Wizard
Setting up a project is now a guided, multi-step flow. The redesigned Create Project wizard lets you pick a live GitHub repository (or connect one inline), prefill and link it, and configure [workflow](/concepts/workflows) templates — managed, manual, or off — in a single submit. Delivery mode and inputs of a template-backed workflow can be edited in place from the workflow edit form, and connecting a repository now auto-onboards an AI coding session workflow so `chainloop trace` attestations land on a ready workflow without a separate install step.
**Refined Setup Guides** — The setup guides shown after onboarding a workflow now lead with a description of what each flow does and why it matters, use syntax-highlighted snippets, and surface documentation through an "Open docs" button in the header.
## Sharper Vulnerabilities & Risk Assessments
The [vulnerabilities and risk-assessment](/concepts/vulnerability-management) experience got a focused overhaul. Risk-assessment tables now default to the findings that need attention — Affected and Under Investigation — with clearable filter badges, a new **Fixable** column showing the agent's fix verdict, and a **Fixed Version** column on the vulnerabilities table. Assessment actions are clearer too: Assess or Re-assess with AI or manually, with **Create PR fix** promoted to the primary action and a fix-confidence tooltip. You can also filter by multiple statuses at once — the CLI `--status` flag is now repeatable.
**SBOM-Embedded Vulnerability Ingestion** — You can now ingest the vulnerabilities embedded in a [CycloneDX SBOM](/concepts/material-types) as Chainloop findings bound to a project version, so released versions reflect a real vulnerability posture and migrated assessments have a posture to bind to.
* Windows CLI binaries — The `chainloop` CLI is now built and published for Windows (amd64 and arm64); download the `.exe` directly from the manual download dialog.
* SonarQube transform filters — `chainloop transform sonarqube` gains `--software-qualities` and `--rules` flags to fetch Maintainability and Reliability findings (dead, unreachable, and unused code), not just Security.
* Evidence sidebar from the policies tab — Evidence names in a workflow run's Policies tab are now clickable, opening the evidence details sidebar; the "Material" and "Material Type" columns are renamed to "Evidence" and "Evidence Type".
* CAS usage breakdown for any backend — The storage usage card now appears for bring-your-own [storage backends](/concepts/cas-backend) too, showing the uploaded, downloaded, stored, and deduplication-savings breakdown.
* New evidence types — Four new [material types](/concepts/material-types): Sysinternals AccessChk output, CERT/CC Dranzer output, OSSF Scorecard JSON, and Radamsa fuzzing reports and crashes.
* Project-deletion audit log — Deleting a project now emits an audit log event.
* Custom CAS storage backends — A contact-us prompt for organizations that want a custom [CAS storage backend](/concepts/cas-backend).
* SonarQube transform filters — `chainloop transform sonarqube` gains `--software-qualities` and `--rules` flags to fetch Maintainability and Reliability findings (dead, unreachable, and unused code), not just Security.
* Evidence sidebar from the policies tab — Evidence names in a workflow run's Policies tab are now clickable, opening the evidence details sidebar; the "Material" and "Material Type" columns are renamed to "Evidence" and "Evidence Type".
* CAS usage breakdown for any backend — The storage usage card now appears for bring-your-own [storage backends](/concepts/cas-backend) too, showing the uploaded, downloaded, stored, and deduplication-savings breakdown.
* New evidence types — Four new [material types](/concepts/material-types): Sysinternals AccessChk output, CERT/CC Dranzer output, OSSF Scorecard JSON, and Radamsa fuzzing reports and crashes.
* Project-deletion audit log — Deleting a project now emits an audit log event.
* Custom CAS storage backends — A contact-us prompt for organizations that want a custom [CAS storage backend](/concepts/cas-backend).
* Frontend Send the S3 region when rotating CAS backend credentials.
*Frontend Show the organization creation dialog above the org switcher.
*Frontend Avoid `crypto.randomUUID` for template instance keys so creation works across more browser contexts.
*Frontend Gate repository listing on GitHub App installation.
*Frontend Update the frontend base image to remediate CVE-2026-34181.
*CLI Prefer `$CHAINLOOP_TOKEN` over user credentials when both are set.
*CLI Use the actual pull request head commit instead of the merge commit in GitHub Actions.
*Policies Add `include_all_versions` to bypass CLI-version gating.
*Backend Allow all roles to list workflow templates.
*Backend Require signature verification and reject timestamp-only bundles.
*Backend Sanitize input and validate column identifiers when parsing JSON filters.
*
*
*
*
*
*
*
*
*
*
## AI Score Breakdown on the AI Coding Dashboard
Get a global, real-time view of how AI-assisted coding is scoring across your organization. The [AI coding dashboard](/concepts/ai-coding-sessions) now shows an AI Score Breakdown with the overall quality score and per-criterion averages for the current period, each with a delta versus the previous period and a trend. See the [AI Score reference](/reference/ai-score) for how scores are computed.
**Pull Requests Get First-Class Treatment** — the redesigned AI Coding Sessions table is built around contributions: each pull request shows its score, AI attribution, lines changed, cost, and duration at a glance.
## Custom Azure Deployment Name for OpenAI
The OpenAI integration now supports a custom Azure deployment name, required for Azure OpenAI endpoints. This restores Ask, chat, and evidence evaluation for organizations on Azure-hosted models. See the [supported LLM providers](/reference/llm-support) for configuration details.
## Codex and GPT-5.4 Support for Agentic Workflows
All Chainloop agentic workflows now support Codex and GPT-5.4. Organizations that bring their own OpenAI key can use these models right away. See the [supported LLM providers](/reference/llm-support) for the full list.
## Skip Runner-Discovered Environment Variables
A new organization setting lets you opt out of storing the environment variables automatically discovered by the CI runner in your attestations — useful when build metadata should stay inside your CI environment. The contract's explicit environment allow list is still honored, and the setting is available from the organization settings page or via `chainloop organization update --skip-runner-env-vars`. Read more in [Skip Runner-Discovered Environment Variables](/concepts/contracts#skip-storing-runner-discovered-environment-variables).
## Built-in Auto-Provisioned Storage Backend
Chainloop can now provision and manage your [Content Addressable Storage backend](/concepts/cas-backend) automatically, so there's no bucket or credentials to wire up before you can store evidence. The platform reconciles a dedicated, isolated CAS backend (backed by AWS) for each organization, and once [managed CAS](/guides/deployment/guides/managed-cas) is active it replaces any inline backend you had configured. Managed uploads are capped by a monthly storage quota to keep usage predictable.
## Streamlined Repository Onboarding
Onboarding a repository now sets up everything you need for compliance tracking in one step. The platform creates a product and attaches default security frameworks, so new projects can collect evidence and report compliance right away. A new WorkflowTemplate resource standardizes project setup behind the scenes, removing the manual configuration that used to come first.
## Track Your Findings with the Linear Integration
Track your findings without leaving your issue tracker. The [Linear](/concepts/issue-trackers) integration now shows each assessment's linked ticket and its current state inline, so you can follow remediation straight from Chainloop. New email [notifications](/concepts/notifications) also go out the moment a finding is created or an assessment revision is proposed.
## Manage Findings and Risk Assessments Using the CLI
Manage security findings and assessments directly from the terminal with new dedicated [CLI commands](/command-line-reference/cli-reference). List, inspect, and act on findings and assessments as part of your scripts and automation, bringing the same compliance workflows you use in the UI into your CI/CD pipelines and local tooling.
## Vulnerability Distribution Visualization
A new funnel view breaks down your [vulnerability](/concepts/vulnerability-management) findings by severity and by resolution status (affected, not affected, and more), so you can see where remediation stands and what to tackle next.
## Assess AI Contribution Quality
AI session scoring helps development teams gauge the quality of AI-assisted contributions and learn best practices for agentic engineering, building on the [AI Coding Foundation](/concepts/ai-coding-sessions). It summarizes the changes made in a session and surfaces the positive signals behind the score, and the score tab has been redesigned to show [scoring progress](/reference/ai-score) in real time.
**Confidence, end to end.** AI assessment confidence is surfaced throughout, with an expandable breakdown that shows each subscore as a percentage, so you can see not just the verdict but how sure the model is.
**Additional signals and recommendations.** The score now spells out the positive and negative signals behind each assessment, along with concrete recommendations for raising it.
**More developer context.** The session list and detail side panel now carry more context about the developers behind each session, and the risk assessment badge reflects the PR's status colors, so it's easy to scan where each session stands.
**Change summary.** Each AI coding session now includes a summary of the changes it made, so you can see what happened without reading the full diff.
## MCP Server at the Backend Domain
The [Chainloop MCP server](/guides/chainloop-mcp) is now served under the backend domain at `/mcp`, a single stable endpoint for connecting Claude, Cursor, and other AI assistants to your supply-chain data. The active endpoint is shown in the product's About dialog, so it's always one click away.
## We Keep Working on the UI
We've restyled the lists you work in most: workflow runs, evidence, storage backends, the project overview tab, and the workflows list all get cleaner, more scannable layouts. The project version evidence tab now hides attestations by default, keeping the focus on the evidence items you reach for most, with attestations still one click away.
## And There's More!
A handful of smaller improvements and fixes shipped across this release too.
## Verified CLI Installs
The [CLI install dialog](/command-line-reference/cli-installation) now shows the pinned CLI version and binary checksums for the active release, so teams can verify what they're installing against a known-good artifact before running the command. Releases now also publish a [keyless cosign signature](https://docs.sigstore.dev/quickstart/quickstart-cosign/) — a Sigstore bundle alongside the checksum manifest — so you can cryptographically verify the checksums themselves came from our release pipeline, not just that the binary matches a checksum served from the same origin. A small UX touch with a meaningful supply-chain story.
**Commit-msg Hook for Trailers** — A new commit-msg hook automatically declares AI session trailers on commits, so attestations pick up the right session even when sessions span multiple commits.
**Smarter Code Attribution** — Trace now ignores generated code in attribution counts, persists per-session file changes and commits, and respects `.gitattributes` linguist-generated rules so vendored or generated paths don't skew metrics.
## AI Risk Assessment Workflow
Risk assessments are now a first-class workflow with collaboration, revisions, and remediation. Reviewers can leave [discussions](/guides/vulnerability-management) on assessments, request revisions, and gate approval on AI-generated recommendations. A re-assess button lets you refresh an assessment when context changes, and on-demand auto-remediation can open a PR with the suggested fix when the project has a linked repository.
**Slack Loop** — Reviewers get pinged in Slack when an assessment needs review, and again when auto-remediation opens a PR — closing the loop without leaving the channel.
**Failed Auto-Assessments Surfaced** — Failed AI assessments are now visible directly in the risk assessment UI so they don't disappear silently.
## SAML SSO Login
Chainloop Platform now supports Enterprise-level SSO through [SAML](/guides/deployment/guides/saml-idp) against your corporate identity provider.
## Project Security v2
The redesigned [project security tab](/guides/vulnerability-management) is now the default for organizations on the labs track, with the legacy view still available side-by-side during the transition. Active-finding filters, summary tiles that link straight to filtered views, and a vulnerability management help link make triage faster.
## Findings, MCP, and Notifications
Findings are now first-class across the platform. A new [`chainloop.findings`](/reference/builtin-functions) Rego builtin lets you reference findings directly from policies, and the [MCP server](/reference/mcp-server) exposes findings to AI assistants.
**High-Severity Slack Alerts** — New high-severity findings now trigger Slack [notifications](/concepts/notifications), and `FINDING_CREATED` events are deduplicated across project versions so you stop getting paged twice for the same issue.
## Native Slack App Integration
Connect your Slack workspace directly to Chainloop with the new native Slack App [integration](/concepts/integrations). Once connected, you can pick specific channels for [notifications](/concepts/notifications) — no more configuring webhook URLs manually.
**Channel Picker** — Browse and select Slack channels from a searchable dropdown directly in the notification settings UI.
**Rich Notifications** — The Slack App supports structured notification messages with actionable context about attestation events, policy violations, and compliance updates.
## GitLab App Integration
Chainloop now supports a native GitLab App integration for connecting your GitLab repositories. This complements the existing GitHub integration and enables teams using GitLab to benefit from the same repository-project linking, [keyless attestations](/guides/gitlab-keyless), and source control visibility.
## UI Refresh
This release brings a comprehensive visual refresh across the platform — redesigned tables, tabs, buttons, inputs, badges, and sheet layouts for a more polished experience.
**Policies Page** — The [policies](/concepts/policies) page now uses a grid cell layout, and policies and policy groups are split into separate pages for easier navigation.
**Frameworks Page** — The [compliance frameworks](/concepts/compliance-frameworks) page has been reworked to match the new policies list style.
**Workflow Run Page** — Updated styling for the workflow run detail view.
**Sidebar** — Hover over the collapsed sidebar to preview navigation items without expanding it.
This gives security teams visibility into how AI agents are set up across the organization — detecting hardcoded secrets in configurations, enforcing allowlists for approved MCP servers, validating instruction quality, and preventing privilege escalation in subagent configurations.
This release ships with **12 built-in [AI governance policies](/reference/policies)** covering MCP server allowlists, instruction quality, subagent permissions, architecture documentation, and more — see the full list in the New Policies section below.
Read the [collection guide](/guides/ai-config-collector) to get started, or see the [full blog post](https://chainloop.dev/blog/agentic-coding-support/) for the vision behind AI agent governance in your supply chain.
## Ask Chainloop
[Ask Chainloop](/concepts/ask-chainloop) is a native natural language interface embedded directly in the web UI. It goes beyond simple data discovery — you can browse your organization's supply chain data, query compliance status, write [policies](/concepts/policies), create [contracts](/concepts/contracts), configure your instance, and more. Press `Cmd+K` (or `Ctrl+K`) to open it from any page.
## Repository-Project Linking & Keyless RBAC
[Keyless attestations](/guides/github-keyless) can now be configured with authorization per project. Enrolled repositories must be connected to a project for keyless attestations to be accepted — giving security teams fine-grained control over which CI/CD pipelines can produce evidence for each project. This means different repositories can have different access levels, and attestations from repositories not linked to a project are rejected automatically. See the [GitHub keyless](/guides/github-keyless) and [GitLab keyless](/guides/gitlab-keyless) guides to get started.
## Rich Evidence Visualization
Browse the content of your [evidence](/concepts/material-types) directly in the platform — no downloads required. New rich viewers let you inspect container image details, pull request metadata, AI agent configuration, and more without leaving the interface.
**Container Images** — View pull commands (by tag and digest), provenance, and deployment history directly from the material panel.
**Pull Request Info** — See PR details including branch info, reviewers, approval status, and bot detection — all rendered inline from `CHAINLOOP_PR_INFO` materials.
**AI Agent Configuration** — Browse collected AI agent configuration files, instructions, rules, and skills directly in the evidence panel.
## Compliance Override & Approval Workflows
The [compliance](/concepts/compliance-frameworks) override system now supports uploading evidence files as part of the override process — along with a full approval workflow and visual status indicators. Teams can also require approval for manually submitted evidence before it's used in [compliance evaluations](/concepts/compliance-frameworks), ensuring that manual submissions are validated before being incorporated into your attestation process.
## Product Management Commands
You can now create, update, and organize [products](/concepts/products) directly from the CLI — bringing full product lifecycle management into your terminal and automation scripts. Combined with [`chainloop apply`](/guides/declarative-resource-management), this enables GitOps-style product configuration alongside your existing [workflow](/concepts/workflows) and [contract](/concepts/contracts) definitions.
## Compliance Approval Workflows
Introducing approval workflows for [compliance](/concepts/compliance-frameworks) overrides at both the [product](/concepts/products) and [project](/concepts/projects-versions) level. Teams can now request structured exceptions to compliance requirements — with approvals tracked, auditable, and tied back to the evidence that justifies them. This gives security and compliance teams visibility and control over deviations without blocking delivery.
## Manual Evidence with Justification
You can now submit manual evidence entries with justification-only content — no artifact upload required. This is especially useful for documenting compliance activities like risk acceptances, design reviews, or exception approvals where the evidence is a written rationale rather than a file.
## Requirement Reordering
You can now reorder requirements within custom [compliance frameworks](/concepts/compliance-frameworks) — giving you full control over how your compliance structure is presented and navigated. Drag requirements into the order that makes sense for your team's review process.
## New MCP Server Tools
The [Chainloop MCP server](/reference/mcp-server) now includes `list_contracts` and `describe_contract` tools — making it possible for AI agents and development workflows to discover and inspect [workflow contracts](/concepts/contracts) directly. This brings contract management into AI-assisted automation, so teams can query contract schemas, materials, and policy attachments without leaving their AI toolchain.
With these tools, you can retrieve any contract's full declarative representation — including its materials, policies, policy groups, and runner configuration — directly from an AI assistant or automated workflow. Whether you're auditing a release gate, reviewing what evidence a pipeline collects, or building tooling on top of Chainloop, the contract schema is now just a tool call away.
## Product-Level Compliance Overrides
[Compliance policies](/concepts/compliance-frameworks) can now be overridden at the [product](/concepts/products) level — giving you more granular control over how compliance requirements are applied across your organization. This is especially useful when different products have distinct regulatory needs while sharing a common baseline.
## UI/UX Improvements
We've been investing heavily in the frontend experience. Our component library has been upgraded to a more compact, modern design system, and we've reworked key surfaces — from empty states to the org selector and dark mode — all to reduce visual noise while keeping the information you need front and center.
**Global Search** — A new global search experience lets you quickly find workflows, projects, frameworks, requirements and other resources across your organization from anywhere in the app. Try it out with `CMD + K` or by clicking the search button in the top navbar.
**Version Selector** — A redesigned version selector with dedicated **prerelease** and **release** tabs makes it easier to navigate between versions and understand what's promoted vs. in progress.
**Filtering Across All Lists** — All list pages now offer consistent filtering options, making it easier to find and organize your workflows, projects, and resources — no matter how large your organization grows
**Contracts Diff** — You can now see differences between [contract](/concepts/contracts) revisions at a glance, making it easier to understand what changed between versions.
**Compliance Coverage (Preview)** — An early preview of compliance coverage is now available, showing how your project maps [against compliance frameworks and requirements](/concepts/compliance-frameworks#requirement-coverage-preview). This feature is being actively developed and will be rolling out to all users soon.
**Easier Policy Evaluation Analysis** — [Policy evaluations](/concepts/policies) are now easier to analyze: advanced filtering helps you quickly focus on passed, failed, or skipped policies, and multiple skip reasons or violations are collapsed for a cleaner view.
**CLI Install Script** — The platform now serves a pre-configured CLI install script, so new users can get started with a single command — no manual endpoint configuration needed. Get your CLI with a single click, it is available in the help menu under "About Chainloop"
We've also introduced a top-level `chainloop apply` command for local or CI automation to enable GitOps operations. For more information, refer to our [CLI reference](https://docs.chainloop.dev/command-line-reference/cli-ee-reference).
## Agentic Policies Support
Agentic policies use AI to evaluate supply chain evidence with natural-language prompts. Define what to check in plain English — Chainloop sends the evidence to your configured LLM provider and returns violations, cryptographically signed into the attestation.
Use the built-in `evidence-prompt` policy for a zero-code experience, or call `chainloop.evidence_prompt` from custom policies for more control. Read more in the [LLM Policies guide](/guides/llm-policies).
```yaml theme={"dark"}
apiVersion: chainloop.dev/v1
kind: Contract
metadata:
name: check-build
spec:
policies:
attestation:
- ref: evidence-prompt
with:
prompt: "Check that all container images referenced in this attestation come from a trusted registry (e.g. ghcr.io or docker.io/chainloop)"
materials:
- ref: evidence-prompt
with:
prompt: "Analyze this SBOM and report any components with non-OSS compatible licenses such as AGPL, SSPL, or proprietary licenses"
materials:
- type: SBOM_CYCLONEDX_JSON
name: my-sbom
```
Our enterprise customers can use their own LLM provider by bringing an API key and configuring an [LLM integration](/concepts/integrations). Chainloop supports Anthropic and OpenAI (including OpenAI on Microsoft Foundry); see the [LLM support reference](/reference/llm-support) for details.
## Policy Engine Improvements
The policy engine is the core of Chainloop's control and quality gate capabilities. Our SDK comes packed with new features:
* [Attestation phases](/concepts/policies#attestation-phases) let you control when attestation-level policies are evaluated during the attestation lifecycle.
* [Policy-level gate override](/concepts/policies#configuring-enforcement) — The `gate` property in policy attachments now supports `gate: false` to explicitly disable enforcement for a specific policy, overriding the organization-wide control gate setting.
* [`chainloop.download_artifact`](/reference/builtin-functions#chainloopdownload_artifact) — A Rego builtin function that downloads an artifact from Chainloop's CAS directly into the policy evaluation context.
```bash theme={"dark"}
$ chainloop attestation verify --bundle ~/Downloads/f156d02.json
INF attestation verified successfully
```
* **Docker Compose for local evaluation**: A [Docker Compose setup](/guides/evaluate-platform#local-docker-compose) is now available for quick local evaluation of the platform. Contact the Chainloop team to get started.
Product-scoped requirements accept manual evidence submissions, but they don't yet support automated compliance from attestations.
* **Product compliance filters** now affects to the compliance status charts, reflecting the status of what users have selected.
* **Requirement Lifecycle Management** - mark requirements as `Active` or `Inactive` to control which ones are evaluated in your compliance assessments. Inactive requirements don't count toward your scores, making it easy to track requirements you're still defining without impacting your current compliance status. Learn more about [managing requirement lifecycles](/concepts/compliance-frameworks#requirement-lifecycle-management) in frameworks.
It can be deactivated by passing the flag `deactivate-ci-report` to the command.
Configure in Platform [Storage Backends Section](https://app.chainloop.dev/cas-backends) or using CLI:
```bash theme={"dark"}
chainloop cas-backend update oci --name [BACKEND_NAME] --fallback=true
```
**Requirements Auto-Matching Control**: Organizations can now [deactivate automatic matching of policies to compliance requirements](/concepts/compliance-frameworks#deactivating-requirements-auto-matching), enforcing explicit requirement declarations in workflow contracts for tighter control over compliance mappings.
When deactivated, only policies with explicit `requirements` declarations in contracts will be matched to framework requirements, ensuring intentional and explicit associations.
This can also be configured via CLI EE:
```bash theme={"dark"}
chainloop org update --name [ORG_NAME] --disable-requirements-auto-matching
```
## Requirement evaluation overrides
You can now manually override the evaluation status of compliance requirements with justification. This enables teams to document exceptions and provide context when requirements cannot be met through automated means.
Overrides are available in both project and product evaluation views. When a requirement is overridden, the status badge changes to "Status Overridden" and displays the justification below the evaluation header. Overrides are also included in the product compliance API response for programmatic access.
* Add [Evidence](/concepts/products#evidence-tab) tab to product view for centralized access to all pieces of evidence across product versions, including artifacts, SBOMs, VEX documents, vulnerability reports, and provenance data with advanced filtering capabilities
* Fix CAS backend permission errors when storage cannot be reached
* Extend `banned-licenses` policy to support SPDX license expressions
* Standardize on "pre-release" terminology across the platform
