Skip to main content

How Does it Work?

Chainloop is an Open Source SLSA level 3 provenance-compliant control plane and single source of truth for artifacts and attestation plus a dead-simple, contract-based attestation crafting process.

In practice, that means a solution that provides

Compliant Single Source of Truth

With Chainloop, your Software Supply Chain can craft and store attestation metadata and artifacts via a single integration point regardless of your CI/CD provider choice.

The result is having a SLSA level 3 compliant single Source of truth for artifacts and attestation built on OSS standards such as Sigstore, in-toto, SLSA and OCI.

Chainloop also makes sure the crafting of artifacts and attestation follows best practices and meets the requirements declared in their associated Workflow Contract.

Contract-based attestation

One key aspect is that in Chainloop, CI/CD integrations are declared via Workflow Contracts.

A Workflow Contract gives operators full control over what kind of data (build info, materials) must be received as part of the attestation and the environment where these workflows must be executed at. This enables an easy, and maintainable, way of propagating and enforcing requirements downstream to your organization.

You can think of it as an API for your organization's Software Supply Chain that both parties, development and SecOps teams can use to interact effectively.

Third-Party Integration fan-out

Operators can set up third-party integrations such as Dependency-Track for SBOM analysis or an OCI registry for storage of the received artifacts and attestation metadata.

Ops can mix and match with different integrations while not requiring developers to make any changes on their side!


The control plane provides org-wide workflow, attestation, and artifacts visibility, including error rates, and operational anomalies.

Role-tailored experience

Chainloop makes sure to clearly define the responsibilities, experience and functional scope of the two main personas, Security/Operation (SecOps) and Development/Application teams.

SecOps are the ones in charge of defining the Workflow Contracts, setting up third-party integrations, or having access to the control plane where all the Software Supply Chain Security bells and whistles are exposed.

Development teams on the other hand, just need to integrate Chainloop's jargon-free crafting tool and follow the steps via a familiar DevExp to make sure they comply with the Workflow Contract defined by the SecOps team. No need to learn in-toto, signing, SLSA, OCI APIs, nada :)

Integration Overview

See an example on how to integrate Chainloop with an existing GitHub action in the following video. The source code shown can be found here.

Let's walk through an overview of what an integration looks like:

In short, the integration process of a new pipeline in Chainloop consists of

  • The Operator registers a contract for that pipeline in the control plane.
  • The developers that own the pipeline use Chainloop's CLI to craft an attestation to comply with the contract.

Operator - Setup

  1. An operator creates a Workflow, a Contract (schema), and a service account

Developer - Attestation Crafting

  1. Set up the provided service account in their CI

  2. Start the crafting process by authenticating with the service account and retrieving the contract.

  3. Add the materials required by the contract, i.e artifact, OCI image ref, SBOM. If needed, the artifact will be uploaded to your artifacft storage (OCI registry) and referenced by its content digest

  4. Generate and push a signed in-toto statement once all the required materials have been added.

Operator - Inspect data

  1. Verify Attestation/Artifact metadata. They also have access to operational metrics

  2. Download Artifacts.

  3. Subscribe to exported Metrics

At this point, the SecOps team has control of the attestation and artifacts expectations (via Workflow contracts), which can be updated at any time with new requirements.

They also gained visibility, and have all the metadata and artifacts meeting the latest standards and best practices, while developers have been shielded from most of the complexity related to this process.

Stay tuned!

If you find this content interesting, please consider subscribing to our mailing list to stay up to date