Material Types

Name	ID	Description
Artifact Type	ARTIFACT	It represents a software artifact.
Attestation	ATTESTATION	Existing Chainloop attestations.
BlackDuck SCA	BLACKDUCK_SCA_JSON
Container Image Reference	CONTAINER_IMAGE	A reference to a container image. It will get resolved and referenced by its sha
CSAF Informational Advisory	CSAF_INFORMATIONAL_ADVISORY
CSAF Security Advisory	CSAF_SECURITY_ADVISORY
CSAF Security Incident Report	CSAF_SECURITY_INCIDENT_RESPONSE
CSAF VEX	CSAF_VEX
Custom Evidence Type	EVIDENCE	Custom piece of evidence that doesn’t fit in any other category, for instance, an approval report in json format, etc.
GitHub Advanced Security Code scans	GHAS_CODE_SCAN
GitHub Advanced Security Dependency scans	GHAS_DEPENDENCY_SCAN
GitHub Advanced Security Secret scans	GHAS_SECRET_SCAN
GitLab Security report	GITLAB_SECURITY_REPORT	GitLab Security reports in JSON format
Helm Chart	HELM_CHART	A released Helm chart in tarball format
JaCoCo XML Report	JACOCO_XML
JUnit	JUNIT_XML
OpenVEX	OPENVEX	Open Vulnerability and Exposure eXchange (OpenVEX) format
SARIF	SARIF
CycloneDX SBOM	SBOM_CYCLONEDX_JSON	A CycloneDX Software Bill of Materials (SBOM) in JSON format
SPDX SBOM	SBOM_SPDX_JSON	An SPDX Software Bill of Materials (SBOM) in JSON format
Key-Value metadata pairs	STRING
PrismaCloud Twistcli Scan	TWISTCLI_SCAN_JSON
ZAP DAST zip report	ZAP_DAST_ZIP	Zap DAST report in zip format that matches the format returned from Zap’s GitHub Action
SLSA provenance attestation	SLSA_PROVENANCE	SLSA provenance file generated by GitHub or upstream slsa-generator
Chainloop Runner Context	CHAINLOOP_RUNNER_CONTEXT	Represents the runner context in which the attestation is crafted in a JSON format

See below an example on how to use them in your contract or refer to this guide to learn more about how to use them.

skynet.contract.yaml

schemaVersion: v1
# Arbitrary set of annotations can be added to the contract and will be part of the attestation
annotations:
  - name: version
    value: oss # if the value is left empty, it will be required and resolved at attestation time

# https://docs.chainloop.dev/concepts/operator/material-types
materials:
  # CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
  - type: CONTAINER_IMAGE
    name:
      skynet-control-plane
      # The output flag indicates that the material will be part of the attestation subject
    output: true
    # Arbitrary annotations can be added to the material
    annotations:
      - name: component
        value: control-plane
      # The value can be left empty so it can be provided at attestation time
      - name: asset
  # ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS)
  # Optional dockerfile
  - type: ARTIFACT
    name: dockerfile
    optional: true
  # SBOMs will be uploaded to the artifact registry and referenced in the attestation
  # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
  - type: SBOM_CYCLONEDX_JSON
    name: skynet-sbom
  # CSAF_VEX and OPENVEX are supported
  - type: OPENVEX
    name: disclosure
  # And static analysis reports in SARIF format
  - type: SARIF
    name: static-out
  # or additional tools
  - type: TWISTCLI_SCAN_JSON
    name: scan-result

# https://docs.chainloop.dev/concepts/policies
policies:
  materials: # policies applied to materials
    - ref: file://cyclonedx-licenses.yaml 
  attestation: # policies applied to the whole attestation
    - ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2)

# Env vars we want the system to resolve and inject during attestation initialization
# Additional ones can be inherited from the specified runner context below
envAllowList:
  - CUSTOM_VAR

# Enforce in what runner context the attestation must happen
# If not specified, the attestation crafting process is allowed to run anywhere
runner:
  type: "GITHUB_ACTION"

Getting Started

Concepts

Guides

References

Misc