Integrations
Overview
Operators can extend Chainloop functionality by setting up third-party integrations that operate on your attestation metadata. Integrations can range from sending a Slack message, uploading the attestation to a storage backend or sending a Software Bill Of Materials (SBOMs) to a third-party service for analysis, for example.
Below you can find the list of currently available integrations. If you can’t find the integration you are looking for, feel free to reach out or contribute your own!
Available integrations
| Name | Description | Supported Metadata |
|---|---|---|
| dependency-track | Send CycloneDX SBOMs to your Dependency-Track instance | SBOM |
| discord-webhook | Send attestations to Discord | Attestation |
| guac | Export Attestation and SBOMs metadata to a blob storage backend so guacsec/guac can consume it | SBOM |
| slack-webhook | Send attestations to Slack | Attestation |
| smtp | Send emails with information about a received attestation | Attestation |
| webhook | Send emails with information about a received attestation | Attestation, SBOM |
Using integrations
First, you need to make sure that the integration that you are looking for is available in your Chainloop instance, to do so you will:Go to the Integrations page and check if the integration you are looking for is available.
- register it in your organization (if you haven’t done so yet) and
- attach the registered integration to your workflows.
Registering an integration
Registration is when a specific instance of the integration is configured in a Chainloop organization. A registered instance is then available to be attached to any workflow. In our case, as an example, we want to register an instance of the webhook integration.To do so, click on the integration. You’ll see two sections: Registration inputs, and Attachment inputs.
Registration inputs are a one-time set of fields required to register the integration in your organization. In this case, the URL of the webhook. However, Attachment inputs are properties set at the workflow level, which can vary from one workflow to another within the same organization.Click “Add Registration” to set the URL value
After clicking “Register” you’ll see your integration in the “Registrations” tab:
The integration is now ready to be used in your different workflows.
Registration inputs are a one-time set of fields required to register the integration in your organization. In this case, the URL of the webhook. However, Attachment inputs are properties set at the workflow level, which can vary from one workflow to another within the same organization.Click “Add Registration” to set the URL valueAfter clicking “Register” you’ll see your integration in the “Registrations” tab:The integration is now ready to be used in your different workflows.Attaching an integration
Once the integration is registered, we can attach it to any workflow. In practice this means that attestations and material information generated in this workflow will be sent to the registered integration.In the workflow view, click on the integrations tab:
When clicking “Attach” you’ll be presented with the list of available integrations for your organization (which were prepared in the previous step).When an integration is selected, you’ll see the list of attachment properties that can be set at the workflow level. In this case, the two Attachment Input properties we saw in the previous section. This particular integration can receive full attestation documents, SBOMs, or both.
When clicking “Attach” you’ll be presented with the list of available integrations for your organization (which were prepared in the previous step).When an integration is selected, you’ll see the list of attachment properties that can be set at the workflow level. In this case, the two Attachment Input properties we saw in the previous section. This particular integration can receive full attestation documents, SBOMs, or both.