How Does it Work?
In practice, that means a solution that provides
Compliant Single Source of Truth
With Chainloop, your Software Supply Chain can craft and store attestation metadata and artifacts via a single integration point regardless of your CI/CD provider choice.
Chainloop also makes sure the crafting of artifacts and attestation follows best practices and meets the requirements declared in their associated Workflow Contract.
One key aspect is that in Chainloop, CI/CD integrations are declared via Workflow Contracts.
A Workflow Contract gives operators full control over what kind of data (build info, materials) must be received as part of the attestation and the environment where these workflows must be executed at. This enables an easy, and maintainable, way of propagating and enforcing requirements downstream to your organization.
You can think of it as an API for your organization's Software Supply Chain that both parties, development and SecOps teams can use to interact effectively.
Third-Party Integration fan-out
Operators can set up third-party integrations such as Dependency-Track for SBOM analysis or an OCI registry for storage of the received artifacts and attestation metadata.
Ops can mix and match with different integrations while not requiring developers to make any changes on their side!
The control plane provides org-wide workflow, attestation, and artifacts visibility, including error rates, and operational anomalies.
Chainloop makes sure to clearly define the responsibilities, experience and functional scope of the two main personas, Security/Operation (SecOps) and Development/Application teams.
SecOps are the ones in charge of defining the Workflow Contracts, setting up third-party integrations, or having access to the control plane where all the Software Supply Chain Security bells and whistles are exposed.
Development teams on the other hand, just need to integrate Chainloop's jargon-free crafting tool and follow the steps via a familiar DevExp to make sure they comply with the Workflow Contract defined by the SecOps team. No need to learn in-toto, signing, SLSA, OCI APIs, nada :)
See an example on how to integrate Chainloop with an existing GitHub action in the following video. The source code shown can be found here.
Let's walk through an overview of what an integration looks like:
In short, the integration process of a new pipeline in Chainloop consists of
- The Operator registers a contract for that pipeline in the control plane.
- The developers that own the pipeline use Chainloop's CLI to craft an attestation to comply with the contract.
Operator - Setup
Developer - Attestation Crafting
Set up the provided service account in their CI
Start the crafting process by authenticating with the service account and retrieving the contract.
Add the materials required by the contract, i.e artifact, OCI image ref, SBOM. If needed, the artifact will be uploaded to your artifacft storage (OCI registry) and referenced by its content digest
Generate and push a signed in-toto statement once all the required materials have been added.
Operator - Inspect data
Verify Attestation/Artifact metadata. They also have access to operational metrics
At this point, the SecOps team has control of the attestation and artifacts expectations (via Workflow contracts), which can be updated at any time with new requirements.
They also gained visibility, and have all the metadata and artifacts meeting the latest standards and best practices, while developers have been shielded from most of the complexity related to this process.
If you find this content interesting, please consider subscribing to our mailing list to stay up to date