Skip to main content
This feature is only available on Chainloop’s platform paid plans.
Repository Integration connects a Chainloop organization to a source-code provider so Chainloop can list your repositories, onboard projects and workflows from them, and act on their pull/merge requests. This page is the entry point; it links out to the detailed setup, permissions, and attestation guides.
Only GitHub and GitLab are supported. Other providers (e.g. Bitbucket) are not available.

What you get, tier by tier

The integration’s capabilities are layered — they are not all enabled the moment you connect. Connecting alone scans nothing.
TierActionWhat it enables
1. ConnectInstall the GitHub App (GitHub) or register a connection with an access token (GitLab), from Integrations (one-time, org-level)Chainloop can list your repositories, live from the provider. Nothing runs yet.
2. Managed deliveryLink a repository to a project and set its delivery mode to ManagedChainloop auto-creates and runs the scanning workflows (SAST, secret, vulnerability, IaC, GitHub-Actions, SCM-configuration-check), server-side, no CI changes.
3. PR/MR events(Automatic once connected)On each pull/merge request, Chainloop can post a summary comment and publish checks/statuses. See the table below for provider differences.
See Built-in & Managed Workflows for delivery modes, and Connect GitHub & GitLab for the hands-on connect flow.

GitHub vs. GitLab

The two providers are genuinely asymmetric. The essentials:
AspectGitHubGitLab
Auth modelGitHub App (installation tokens)Access token (personal, group, or service-account) with the api scope
Connect actionInstall the AppRegister a connection with a host + access token
Repository visibilityRepos selected at install time (installation-scoped)Projects the token can access at Developer level or above, shared org-wide to all Chainloop members
WebhooksAuto-provisioned by the AppChainloop registers a per-project hook on link, and removes it on disconnect
Webhook verificationX-Hub-Signature-256 (HMAC-SHA256)X-Gitlab-Token shared secret (auto-generated on install)
Managed workflowsGAGA
PR/MR summary commentPosted as a PR comment (when AI traces are present)Posted as an MR note; identical content
PR quality checks (pr-validation)Runs when a managed pr-validation workflow is enabledSame
Check surfaceRich Check Runs (Chainloop AI Policies, Chainloop PR Validation)Commit statuses (GitLab has no Check Runs) — pass/fail + link; full detail lives in the MR note
Multiple connectionsone github_app per instancemultiple token connections per org (different hosts, or distinct tokens for the same host)
Self-managed hostGHES via baseUrlself-managed via the connection’s host

Configuration

Configuration splits by audience, not by product edition:
On both Chainloop Cloud and self-hosted instances, an org admin connects the provider from Integrations, then links repositories to projects and picks a delivery mode. This is the same flow everywhere.See Connect GitHub & GitLab.

Must-knows

Connecting alone scans nothing. You must link a repository to a project and choose Managed delivery mode for any workflow to run.
  • PR feedback is gated. The AI-trace summary comment only appears when there are AI coding sessions/traces (or a pr-validation run). PR quality checks only run when a managed pr-validation workflow exists.
  • GitLab connections are org-wide and token-backed. Every Chainloop org member operates through the access token registered for the connection, so use a group or service-account token (not a personal one) to avoid tying access to an individual. Visible projects are those the token can reach at Developer level or above. You can register multiple connections per org.
  • On-prem has a GitHub operator prerequisite. Until an operator creates the GitHub App and sets its Helm values, the GitHub connect flow does not appear. GitLab has no such step.
  • Built-in templates are hidden in the on-prem UI. Self-hosted installs don’t surface Chainloop’s built-in workflow templates in the UI. You can manage custom, org-scoped templates via the CLI (chainloop apply -f), but only in Manual delivery mode.

Connect GitHub & GitLab

The hands-on connect flow.

Built-in & Managed Workflows

Delivery modes and what managed workflows do.

GitHub App (self-hosted)

Create the app and set Helm values.

GitLab integration (self-hosted)

Token-based connections; no operator setup.

GitHub permissions

Exact scopes the Chainloop GitHub App requests.

GitHub keyless attestation

Attest from GitHub Actions via OIDC.

GitLab keyless attestation

Attest from GitLab CI via OIDC.

Integrations catalog

All Chainloop integrations.