This feature is only available on Chainloop’s platform paid plans.
The Secure Software Development Framework (SSDF) v1.1, published by NIST, offers a structured approach to embedding secure-by-design principles throughout the software development life cycle (SDLC) and emphasizes the organizational policies, roles, and processes needed to make these practices effective. Its ultimate goal is to reduce software vulnerabilities and limit the impact of potential exploitation. Originally released as voluntary guidance in 2020, SSDF has since become a foundational part of U.S. federal software security requirements, with growing emphasis on measurable compliance.
Chainloop’s current implementation offers an overall SSDF self-assessment checklist, extended with more granular manual evidence and automated policies specifically for the Respond to Vulnerabilities (RV) activities (details in our reference guide).
You should consider SSDF compliance tracking in projects that:
While these actions could happen in the same workflow, they usually don’t:
A typical Chainloop project managing build, test, release, and post-release workflows with SSDF compliance tracking will resemble the following:
You can enable SSDF compliance tracking on existing projects and workflows as long as they meet these requirements:
production-project
.release-workflow
.vuln-scan-workflow
.When a project is set up and workflows are in place, only three steps are needed to track compliance with SSDF:
Next, we’ll go over SSDF compliance tracking setup in two different cases:
This framework is available in-preview mode. Learn how to enable in-preview compliance frameworks in your organization.
For existing projects, simply follow the framework attachment instructions selecting SSDF from the frameworks list.
If you are starting from scratch, create a new project with the name production-project
and add the SSDF framework during the project creation.
If you’re reusing existing workflows and those workflows already have contracts (other than the default one), update those contracts to include:
sbom-quality
for the release-workflow
and vulnerability-management
for the vuln-scan-workflow
.Go to your contracts list, identify the contract and edit it. For reference, see the release-contract and vuln-scan-contract examples.
If you are starting fresh or using the default (empty) contract, you will need to create new contracts:
Create two new contracts, release-contract
and vuln-scan-contract
, following the managing contracts instructions and including the following yaml content:
Create two new contracts, release-contract
and vuln-scan-contract
, following the managing contracts instructions and including the following yaml content:
If you’re using existing workflows that were attached to the default contract, update them to use the new contracts:
Follow the associating workflows to contracts documentation and assign the release-workflow
to the release-contract
and the vuln-scan-workflow
to the vuln-scan-contract
.
Follow the associating workflows to contracts documentation and assign the release-workflow
to the release-contract
and the vuln-scan-workflow
to the vuln-scan-contract
.
If you are not reusing any existing workflows, create new ones:
release-workflow
name and associate it with the production-project
and the release-contract
that you created in the previous step.vuln-scan-workflow
name and associate it with the production-project
and the vuln-scan-contract
that you created in the previous step.This step is only necessary if you don’t already have your CI pipeline configured to send attestations.
Assuming you have the Chainloop CLI installed (see installation docs if not), run:
Once you’ve completed the steps above, your project should now be configured according to the structure shown in the diagram at the beginning of this guide and your SSDF compliance status will appear in the Project Overview for each version.
The compliance status is updated whenever:
Click “See details” to view all SSDF requirements, associated policies, and manual evidence.
As you complete the manual evidence and submit valid attestations through your CI workflows, compliance indicators will turn green.