Overview

​

Data Gathering Primitives

​

Material

In Chainloop, a material is any piece of evidence (metadata) generated as part of the software development lifecycle (SDLC), or in more general terms, in any activity from the company compliance process. Examples of materials are:

• A container image built in a CI pipeline, referenced by its OCI URL (oci://my-registry/my-repo@mytag)
• A software bill of materials (SBOM)
• A test or code coverage report
• A vulnerability scan result
• An infrastructure scan, and more

Materials can be attached to an attestation during the attestation process.

Read the docs

​

Attestation

An attestation is a unit of data sent to Chainloop. Users and CI systems use the Chainloop CLI to “craft” attestations, add pieces of evidence (materials) to them, and “push” them to Chainloop service (the evidence store).

Attestations are performed with the Chainloop CLI and its lifecycle looks like this

# initialize the attestation. Downloading the contract
> chainloop att init --workflow workflow-name --project project-name

# add materials to the attestation
> chainloop att add --value ghcr.io/chainloop-dev/chainloop/control-plane:latest
> chainloop att add --value reports/cyclonedx.json --kind SBOM_CYCLONEDX_JSON

# generate, sign and push the attestation to chainloop
> chainloop att push

Read the docs

​

Workflow

A workflow represents a source of data to be sent to Chainloop. It usually corresponds to a CI pipeline, but it doesn’t necessarily need to match. For example, users might send data from other sources, like a custom integration from Jira. Workflows are just an umbrella term for all data ingestions from the same source.

Read the docs

​

Workflow Run

A workflow run represents an execution of a workflow. A successful workflow run will be associated with an attestation.

Read the docs

​

Contract

A contract is the interface between development pipelines and the Chainloop service. It defines the materials that are expected to be sent to Chainloop and some additional constraints, like the type of source (Github, Dagger …, etc.) and the policies that must be evaluated.

A contract can also be seen as the interface between the developers who must instrument their CI/CD pipelines and the other teams.

Read the docs

​

Compliance Primitives

​

Policy

Policies are rules evaluated against materials and/or the whole attestation document. They represent acceptance criteria for the system to ingest those materials. Even in failure cases (when there are policy violations), attestations are still sent to Chainloop but clearly marked as “not compliant.” This way, Chainloop keeps track of everything that is happening in the system, even if it’s not acceptable. Policies are written in Rego language.

Read the docs

​

Policy Groups

Policy groups are a way to group policies together. They are used to be able to attach a set of policies to a workflow contract.

Read the docs

​

Frameworks

Frameworks represent high-level regulatory standards or good practices. They are usually promoted by governments and required for companies to fulfill, such as SDDF, SOC2, CRA, etc.

Frameworks can also represent internal, custom checklists and normative for release management, security compliance, etc. In any case, Chainloop will help automate those by giving tools to manage and automate frameworks and requirements in terms of policies and data ingestions.

Read the docs

​

Requirements

Requirements are a high-level representation of Compliance criteria that the project must meet. They are not necessarily technical but written in high-level natural language by Compliance teams. It’s the responsibility of SecOps teams to map high-level requirements into low-level policies.

Requirements are grouped in a framework.

Read the docs

​

Exceptions

Sometimes, it’s acceptable for some organizations to release software without fulfilling all internal requirements. In these cases, Chainloop provides a way to register “exceptions” to those requirements, marking them as exempt and thus not counting against compliance criteria. Exceptions and their authors are recorded in the system for future auditing.

Read the docs

​

Organizational Primitives

​

Organization

Organizations represent the tenant entity in Chainloop. All users belong to one or more organizations and might have different role levels.

chainloop org --help

Organizations management

Usage:
  chainloop organization [command]

Aliases:
  organization, org

Available Commands:
  api-token   API token management
  create      Create an organization
  describe    Describe the current organization
  leave       leave an organization
  list        List the organizations this user has access to
  member      Organization members management
  set         Set the current organization to be used by this CLI
  update      Update an existing organization

​

Project and Versions

Projects and versions can be used to model software products. By associating workflows to projects, you can get an aggregated overview of the compliance status of the software product.

Read the docs