This feature is only available on Chainloop’s platform paid plans.
Only GitHub and GitLab are supported. Other providers (e.g. Bitbucket) are not available.
What you get, tier by tier
The integration’s capabilities are layered — they are not all enabled the moment you connect. Connecting alone scans nothing.| Tier | Action | What it enables |
|---|---|---|
| 1. Connect | Install the GitHub App (GitHub) or register a connection with an access token (GitLab), from Integrations (one-time, org-level) | Chainloop can list your repositories, live from the provider. Nothing runs yet. |
| 2. Managed delivery | Link a repository to a project and set its delivery mode to Managed | Chainloop auto-creates and runs the scanning workflows (SAST, secret, vulnerability, IaC, GitHub-Actions, SCM-configuration-check), server-side, no CI changes. |
| 3. PR/MR events | (Automatic once connected) | On each pull/merge request, Chainloop can post a summary comment and publish checks/statuses. See the table below for provider differences. |
GitHub vs. GitLab
The two providers are genuinely asymmetric. The essentials:| Aspect | GitHub | GitLab |
|---|---|---|
| Auth model | GitHub App (installation tokens) | Access token (personal, group, or service-account) with the api scope |
| Connect action | Install the App | Register a connection with a host + access token |
| Repository visibility | Repos selected at install time (installation-scoped) | Projects the token can access at Developer level or above, shared org-wide to all Chainloop members |
| Webhooks | Auto-provisioned by the App | Chainloop registers a per-project hook on link, and removes it on disconnect |
| Webhook verification | X-Hub-Signature-256 (HMAC-SHA256) | X-Gitlab-Token shared secret (auto-generated on install) |
| Managed workflows | GA | GA |
| PR/MR summary comment | Posted as a PR comment (when AI traces are present) | Posted as an MR note; identical content |
PR quality checks (pr-validation) | Runs when a managed pr-validation workflow is enabled | Same |
| Check surface | Rich Check Runs (Chainloop AI Policies, Chainloop PR Validation) | Commit statuses (GitLab has no Check Runs) — pass/fail + link; full detail lives in the MR note |
| Multiple connections | one github_app per instance | multiple token connections per org (different hosts, or distinct tokens for the same host) |
| Self-managed host | GHES via baseUrl | self-managed via the connection’s host |
Configuration
Configuration splits by audience, not by product edition:- Everyone (connect a repository)
- On-prem operators (GitHub prerequisite)
On both Chainloop Cloud and self-hosted instances, an org admin connects the provider from Integrations, then links repositories to projects and picks a delivery mode. This is the same flow everywhere.See Connect GitHub & GitLab.
Must-knows
Connecting alone scans nothing. You must link a repository to a project and choose Managed delivery mode for any workflow to run.
- PR feedback is gated. The AI-trace summary comment only appears when there are AI coding sessions/traces (or a
pr-validationrun). PR quality checks only run when a managedpr-validationworkflow exists. - GitLab connections are org-wide and token-backed. Every Chainloop org member operates through the access token registered for the connection, so use a group or service-account token (not a personal one) to avoid tying access to an individual. Visible projects are those the token can reach at Developer level or above. You can register multiple connections per org.
- On-prem has a GitHub operator prerequisite. Until an operator creates the GitHub App and sets its Helm values, the GitHub connect flow does not appear. GitLab has no such step.
- Built-in templates are hidden in the on-prem UI. Self-hosted installs don’t surface Chainloop’s built-in workflow templates in the UI. You can manage custom, org-scoped templates via the CLI (
chainloop apply -f), but only in Manual delivery mode.
Related guides
Connect GitHub & GitLab
The hands-on connect flow.
Built-in & Managed Workflows
Delivery modes and what managed workflows do.
GitHub App (self-hosted)
Create the app and set Helm values.
GitLab integration (self-hosted)
Token-based connections; no operator setup.
GitHub permissions
Exact scopes the Chainloop GitHub App requests.
GitHub keyless attestation
Attest from GitHub Actions via OIDC.
GitLab keyless attestation
Attest from GitLab CI via OIDC.
Integrations catalog
All Chainloop integrations.
