Integrations - Chainloop Documentation

Overview

Operators can extend Chainloop functionality by setting up third-party integrations that operate on your attestation metadata and workflow events. Integrations can range from sending a Slack message, uploading the attestation to a storage backend or sending a Software Bill Of Materials (SBOMs) to a third-party service for analysis, for example.

Integration capabilities

Chainloop integrations provide the following capabilities:

Keyless Attestation — Attest directly from CI/CD environments using OIDC tokens, with no API keys to manage.
Repository Integration — Link source code repositories to Chainloop projects so attestations are scoped and validated per-repo.
Fan-Out — Distribute attestations, SBOMs, and artifacts to external systems after a workflow run.
Notifications — Send alerts about product updates, system status, and workflow events.
Chainloop Ask — Power the Ask Chainloop natural language assistant in the web UI and Slack.
Evidence AI Prompt — Evaluate attestation evidence using AI-driven, natural-language policies. See the LLM-driven policies guide and the LLM support reference.

Below you can find the list of currently available integrations. If you can’t find the integration you are looking for, feel free to reach out or contribute your own!

Integration providers

GitHub

Keyless attestation, repository integration

GitLab

Keyless attestation, repository integration

Slack

Notifications, Chainloop Ask

Dependency Track

Fan-out (CycloneDX SBOMs)

Discord

Fan-out (attestation delivery)

OpenAI

Chainloop Ask, Evidence AI Prompt

Anthropic

Chainloop Ask, Evidence AI Prompt

GUAC

Fan-out (attestation + SBOM export)

Webhook

Fan-out (generic POST)

SMTP / Email

Fan-out, Notifications

Microsoft Teams

Notifications

GitHub

Capability	Description
Keyless Attestation	Attest from GitHub Actions using OIDC tokens — no API keys required.
Repository Integration	Enroll GitHub repositories and link them to Chainloop projects for scoped attestation validation.
GitHub integration leverages GitHub’s native OIDC identity provider, enabling your CI pipelines to perform attestations without managing long-lived credentials. Repositories are enrolled in Chainloop and linked to projects, so only authorized repos can submit attestations.

GitHub keyless attestation guide

Step-by-step setup for OIDC-based keyless attestations from GitHub Actions.

GitLab

Capability	Description
Keyless Attestation	Attest from GitLab CI runners using OIDC tokens — no API keys required.
Repository Integration	Enroll GitLab repositories and link them to Chainloop projects for scoped attestation validation.

GitLab integration uses GitLab’s OIDC tokens with a chainloop audience claim. Like GitHub, repositories are enrolled and linked to projects before attestations are accepted.

GitLab keyless attestation guide

Step-by-step setup for OIDC-based keyless attestations from GitLab CI.

Slack

This feature is only available on Chainloop’s platform paid plans.

Capability	Description
Notifications	Receive alerts about product updates, system status, and workflow events via Slack channels.
Chainloop Ask	Query your supply chain data using natural language directly from Slack (requires an AI provider such as Anthropic or OpenAI).

Slack can be configured as both a notification channel and a Chainloop Ask interface. Notifications are configured at the organization or product level. Chainloop Ask in Slack requires a registered AI provider to function.

Notifications setup

Configure Slack notification channels and preferences.

Ask Chainloop

Learn about the AI-powered assistant available in web and Slack.

Dependency Track

Capability	Description
Fan-Out	Automatically send CycloneDX SBOMs to your Dependency-Track instance for vulnerability analysis.

This integration forwards SBOM materials collected during attestation to Dependency-Track, enabling continuous vulnerability monitoring of your software components. Supported metadata: SBOM_CYCLONEDX_JSON View integration source

Discord

Capability	Description
Fan-Out	Send attestation summaries to Discord channels via webhooks.

View integration source

OpenAI

This feature is only available on Chainloop’s platform paid plans.

Capability	Description
Chainloop Ask	Powers the Ask Chainloop assistant in the web UI and Slack.
Evidence AI Prompt	Evaluate attestation evidence using natural-language policies via OpenAI models.

Register OpenAI as an AI provider to enable Chainloop Ask across the web UI and Slack, and to use LLM-driven policy evaluations on attestation evidence.

Ask Chainloop

Natural language assistant for supply chain queries.

LLM support reference

Configuration details for AI providers.

Anthropic

This feature is only available on Chainloop’s platform paid plans.

Capability	Description
Chainloop Ask	Powers the Ask Chainloop assistant in the web UI and Slack.
Evidence AI Prompt	Evaluate attestation evidence using natural-language policies via Anthropic models.

Register Anthropic as an AI provider to enable Chainloop Ask across the web UI and Slack, and to use LLM-driven policy evaluations on attestation evidence.

Ask Chainloop

Natural language assistant for supply chain queries.

LLM support reference

Configuration details for AI providers.

GUAC

Capability	Description
Fan-Out	Export attestation and SBOM metadata to a blob storage backend for consumption by guacsec/guac.

Supported metadata: SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON View integration source

Webhook

Capability	Description
Fan-Out	Send attestations and SBOMs to any HTTP endpoint via a generic POST webhook.

A flexible integration for forwarding attestation data to any system that accepts webhooks. Supported metadata: Attestation, SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON View integration source

SMTP / Email

Capability	Description
Fan-Out	Send emails containing attestation information after workflow runs.
Notifications	Receive system and product notifications via email.

SMTP can be used as both a fan-out integration (attached to workflows) and a notification channel (configured at the organization or product level).

Fan-out source

View SMTP fan-out integration source.

Notifications setup

Configure email notification preferences.

Microsoft Teams

This feature is only available on Chainloop’s platform paid plans.

Capability	Description
Notifications	Receive alerts about product updates, system status, and workflow events via Microsoft Teams channels.

Check the Notifications documentation for configuration details.

Setting up integrations

Both Fan-Out and Notification integrations follow the same registration process. The key difference is how they are used after registration:

Fan-Out integrations are attached to individual workflows
Notification integrations are configured at different scopes for alerting purposes (Organization-level, Product-level)
LLM integrations are registered globally, and used in agentic policies

Step 1: Check available integrations

First, make sure that the integration you are looking for is available in your Chainloop instance:

Web UI
CLI

Go to the Integrations page and check if the integration you are looking for is available.

 chainloop integration available list

┌──────────────────┬─────────┬──────────────────────┬───────────────────────────────────────────────────────────┐
│ ID │ VERSION │ MATERIAL REQUIREMENT │ DESCRIPTION │
├──────────────────┼─────────┼──────────────────────┼───────────────────────────────────────────────────────────┤
│ dependency-track │ 1.2 │ SBOM_CYCLONEDX_JSON │ Send CycloneDX SBOMs to your Dependency-Track instance │
├──────────────────┼─────────┼──────────────────────┼───────────────────────────────────────────────────────────┤
│ smtp │ 1.0 │ │ Send emails with information about a received attestation │
├──────────────────┼─────────┼──────────────────────┼───────────────────────────────────────────────────────────┤
│ oci-registry │ 1.0 │ │ Send attestations to a compatible OCI registry │
├──────────────────┼─────────┼──────────────────────┼───────────────────────────────────────────────────────────┤
│ discord-webhook │ 1.1 │ │ Send attestations to Discord │
└──────────────────┴─────────┴──────────────────────┴───────────────────────────────────────────────────────────┘

In addition to the UI, you can find all the available operations related to integrations in the CLI by running chainloop integration --help

Step 2: Register the integration

Registration is when a specific instance of the integration is configured in a Chainloop organization. A registered instance is then available to be attached to workflows (for Fan-Out) or configured globally (for Notifications). Each registration shows its configuration status in the UI. In our case, as an example, we want to register an instance of the webhook integration.

Web UI
CLI

To do so, click on the integration. You’ll see two sections: Registration inputs, and Attachment inputs.

Registration inputs are a one-time set of fields required to register the integration in your organization. In this case, the URL of the webhook. However, Attachment inputs are properties set at the workflow level, which can vary from one workflow to another within the same organization.Click “Add Registration” to set the URL value

After clicking “Register” you’ll see your integration in the “Registrations” tab:

Check the required registration inputs

chainloop integration available describe --name webhook
┌─────────┬─────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│ NAME    │ VERSION │ MATERIAL REQUIREMENT                │ DESCRIPTION                                              │
├─────────┼─────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ webhook │ 1.0     │ SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON │ Send Attestation and SBOMs to a generic POST webhook URL │
└─────────┴─────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ Registration inputs                                         │
├───────┬────────┬──────────┬─────────────────────────────────┤
│ FIELD │ TYPE   │ REQUIRED │ DESCRIPTION                     │
├───────┼────────┼──────────┼─────────────────────────────────┤
│ url   │ string │ Yes      │ Webhook URL to send payloads to │
└───────┴────────┴──────────┴─────────────────────────────────┘
...

lastly, register the integration providing the required input parameter

# Example of registering a webhook integration
 chainloop integration registered add webhook \
 --name [unique-registration-name] \
 --opt url=[webhook-url]

Step 3: Attaching Fan-Out integrations to workflows

For Notification integrations: Check the Notifications documentation for reference.

Once the integration is registered, the next step depends on the integration type: Attach the integration to specific workflows. In practice this means that attestations and material information generated in those workflows will be sent to the registered integration.

Web UI
CLI

In the workflow view, click on the integrations tab:

When clicking “Attach” you’ll be presented with the list of available integrations for your organization (which were prepared in the previous step).When an integration is selected, you’ll see the list of attachment properties that can be set at the workflow level. In this case, the two Attachment Input properties we saw in the previous section. This particular integration can receive full attestation documents, SBOMs, or both.

Check the available attachment properties, which in this case we have two optional properties: send_attestation and send_sbom.

$ chainloop integration available describe --name webhook
┌─────────┬─────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────┐
│ NAME    │ VERSION │ MATERIAL REQUIREMENT                │ DESCRIPTION                                              │
├─────────┼─────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────┤
│ webhook │ 1.0     │ SBOM_CYCLONEDX_JSON, SBOM_SPDX_JSON │ Send Attestation and SBOMs to a generic POST webhook URL │
└─────────┴─────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────┘
...
┌──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Attachment inputs                                                                                                        │
├──────────────────┬─────────┬─────────────────────┬───────────────────────────────────────────────────────────────────────┤
│ FIELD            │ TYPE    │ REQUIRED            │ DESCRIPTION                                                           │
├──────────────────┼─────────┼─────────────────────┼───────────────────────────────────────────────────────────────────────┤
│ send_attestation │ boolean │ No (default: true)  │ Send attestation                                                      │
│ send_sbom        │ boolean │ No (default: false) │ Additionally send CycloneDX or SPDX Software Bill Of Materials (SBOM) │
└──────────────────┴─────────┴─────────────────────┴───────────────────────────────────────────────────────────────────────┘

    chainloop integration attached add \
        --workflow [workflow-name] --project [project-name] \
        --integration [integration-name] \
        # and optionally set the attachment properties
        --opt send_attestation=[true|false] \
        --opt send_sbom=[true|false]

Getting Started

Concepts

Guides

References

Misc

​Overview

​Integration capabilities

​Integration providers

GitHub

GitLab

Slack

Dependency Track

Discord

OpenAI

Anthropic

GUAC

Webhook

SMTP / Email

Microsoft Teams

​GitHub

GitHub keyless attestation guide

​GitLab

GitLab keyless attestation guide

​Slack

Notifications setup

Ask Chainloop

​Dependency Track

​Discord

​OpenAI

Ask Chainloop

LLM support reference

​Anthropic

Ask Chainloop

LLM support reference

​GUAC

​Webhook

​SMTP / Email

Fan-out source

Notifications setup

​Microsoft Teams

​Setting up integrations

​Step 1: Check available integrations

​Step 2: Register the integration

​Step 3: Attaching Fan-Out integrations to workflows

Overview

Integration capabilities

Integration providers

GitHub

GitLab

Slack

Dependency Track

Discord

OpenAI

Anthropic

GUAC

Webhook

SMTP / Email

Microsoft Teams

Setting up integrations

Step 1: Check available integrations

Step 2: Register the integration

Step 3: Attaching Fan-Out integrations to workflows