Skip to main content

Overview

Chainloop provides a set of built-in policies that enforce pull request quality standards in your CI/CD pipeline. These policies evaluate PR metadata automatically gathered by the Chainloop CLI and can act as control gates to block workflows when requirements aren’t met. When used as control gates, PR policies help ensure:
  • Code reviews are properly conducted
  • PRs have meaningful descriptions and linked issues
  • Security requirements like code owner approval are satisfied
  • Conversation resolution and stale review dismissal rules are followed

Available PR Policies

The following PR policies are available: All policies support both GitHub and GitLab.

How It Works

  1. Automatic PR Detection: The Chainloop CLI automatically detects when running in a pull request context and gathers PR metadata
  2. Material Collection: PR information is collected as a CHAINLOOP_PR_INFO material type
  3. Policy Evaluation: Attached PR policies evaluate the gathered metadata
  4. Control Gate: If a policy is configured as a gate and fails, the workflow is blocked (exit code != 0)

Quick Start

Prerequisites

  • Chainloop CLI configured in GitHub Actions or GitLab CI
  • A workflow contract configured in Chainloop with PR policies attached that runs in PR or MR events

Step 1: Create a Contract with PR Policies

Create a workflow contract that includes PR policies attached with the gate: true flag:
pr-quality-gate.contract.yaml

Step 2: Set Up GitHub Workflow

Configure your GitHub Actions workflow to use the Chainloop CLI with runner context gathering:
.github/workflows/pr-quality-gate.yml

Step 3: Configure Control Gate Enforcement

Enable control gate enforcement at the organization level or per-policy:

Policy Configuration Examples

Example 1: Branch-specific Review Requirements

Require different numbers of reviewers based on target branch:

Example 2: Enforce Conversation Resolution

Ensure all PR discussions are resolved before merge:

Example 3: Require Meaningful PR Descriptions

Enforce PR descriptions with specific sections:

Example 4: Ensure Stale Reviews Are Dismissed

Verify that old approvals are dismissed when new code is pushed:

Gating Bot-Authored PRs

In addition to enforcing quality on human PRs, you can use Chainloop to verify and gate bot-authored PRs from tools like Dependabot or Renovate. This ensures only approved bots can create PRs in your repository and provides an attestation trail for automated dependency updates.

How Bot Detection Works

GitHub bot accounts have a platform-reserved [bot] suffix (e.g., dependabot[bot], renovate[bot]) and a type: "Bot" field on the user object. The Chainloop CLI detects this automatically during attestation init when running in a pull request context.The approach uses two layers of defense:
  1. Workflow trigger: A GitHub Actions workflow triggers for any bot-authored PR using github.event.pull_request.user.type == 'Bot'
  2. Policy gate: The pr-bot-author-allowed policy restricts which specific bots are permitted. An unrecognized bot triggers the workflow but fails the policy gate.
If you use self-hosted Renovate on GitLab, choose one of these approaches so the pr-bot-author-allowed policy works correctly:
Provision the Renovate user as a GitLab service account (requires GitLab 16.1+, Premium or Ultimate). Service accounts have author.bot = true automatically, so the policy detects them as bots without additional configuration.
  1. Create a service account via the GitLab Groups API
  2. Generate a personal access token for the service account
  3. Configure Renovate to authenticate with that token
  4. No allowed_bots override is needed — the default policy configuration works

Contract

bot-pr-gate.contract.yaml

CI Configuration

.github/workflows/bot-pr-attestation.yml
The pr-bot-author-allowed policy supports both string-based author names (e.g., "dependabot[bot]") and structured author objects with explicit bot type detection, ensuring backwards compatibility with existing attestations.

GitHub vs GitLab: Bot Detection Differences

Handling Policy Failures

When a PR policy control gate fails:
  1. The workflow is blocked: chainloop attestation push returns a non-zero exit code
  2. The attestation is still recorded: Chainloop tracks the non-compliant activity for audit purposes
  3. Developers see clear error messages: Policy violations are displayed in the CLI output
Example failure output:

Bypassing Control Gates (Emergency Use)

In urgent situations (hotfixes, false positives), you can bypass control gates:
Important: The bypass is recorded and exposed to the compliance team for review.

Best Practices

  1. Start with non-blocking policies: Test policies without gate: true first to ensure they work as expected
  2. Use branch-specific requirements: Apply stricter rules to production branches (main, release/*) and lighter rules to development branches
  3. Combine multiple policies: Use multiple PR policies together for comprehensive quality checks
  4. Monitor policy violations: Review Chainloop’s UI regularly to identify patterns in policy failures
  5. Document bypass procedures: Establish clear guidelines for when and how to use --exception-bypass-policy-check
  6. Keep policies updated: Review and adjust policy parameters based on team feedback and compliance requirements

Troubleshooting

PR Info Not Being Gathered

Problem: The CHAINLOOP_PR_INFO material is not being collected automatically. Solutions:
  • Check that the workflow is triggered by a pull request event

Policy Always Passes Despite Invalid PR State

Problem: Policy evaluates successfully even when PR doesn’t meet requirements. Solutions:
  • Verify the policy’s branches parameter includes the target branch
  • Check that the PR metadata is being gathered correctly (inspect attestation in Chainloop UI)
  • Review policy parameters in the contract’s with section
  • Ensure the policy is compatible with your CI/CD platform (GitHub vs GitLab)

Control Gate Not Blocking Workflow

Problem: Workflow continues even when policy fails. Solutions:
  • Verify gate: true is set in the policy attachment
  • Check organization-wide enforcement settings (chainloop org describe)
  • Ensure you’re not using --exception-bypass-policy-check flag
  • Confirm the workflow doesn’t have error handling that catches the non-zero exit code

Additional Resources