Skip to main content
In addition to the Rego builtin functions, Chainloop’s Rego engine has been enhanced with additional functions that can be used to interact with Chainloop APIs and features. All API calls to Chainloop services will use the same authentication context configured in the CLI (by using chainloop auth login or CHAINLOOP_TOKEN). This is the list of APIs supported currently:

chainloop.discover

Calls Chainloop’s Discover API. It’s the same as chainloop discover --digest sha256:foobar Usage: chainloop.discover(digest, kind) Arguments:
  • digest (string): artifact digest in the form of sha256:foobar
  • kind (string, optional): optional filter by kind to disambiguate
Returns: same payload as chainloop discover CLI call. A JSON with the artifact metadata and the list of referenced artifacts. Example: 
  {
   "digest": "sha256:79261a7ebb2955f1c54c092bee6ee0e16ad6d096ed51f599412a50b356b247c9",
   "kind": "CONTAINER_IMAGE",
   "downloadable": false,
   "public": true,
   "createdAt": "2025-11-19T10:37:45.937172Z",
   "references": [
      {
         "digest": "sha256:5319f1abba10ae602a92c0e4b5bfd6e59e6dcadaae68c57f0b55cc7ff96d7e57",
         "kind": "ATTESTATION",
         // ... other metadata
      },
      {
         "digest": "sha256:d0d10a109a55c16118c622daefd276a5641be81bb024e1f30eedbef3eb9b9c49",
         "kind": "ATTESTATION",
         // ... other metadata
      },
      {
         "digest": "sha256:ad71aa55f6016aa83a1418bdb1337a889f1df47173ec640813911f0cbb00d3b1",
         "kind": "ATTESTATION",
         // ... other metadata
      }
   ]
}

chainloop.evidence

Lists evidence stored in the platform by querying the Evidence service (see API Reference - EvidenceService/List). Use this to retrieve evidence metadata across projects and workflows for compliance validation.
This feature is only available on Chainloop’s platform paid plans.
Usage: chainloop.evidence(filters) Arguments:
  • filters (object): filter object with optional fields:
    • project_name (string, optional): name of the project to filter by
    • project_version_name (string, optional): name of the project version to filter by
    • kind (array of strings, optional): array of material types to filter by (e.g., ["SBOM_CYCLONEDX_JSON", "HELM_CHART"])
    • workflow_names (array of strings, optional): array of workflow names to filter by
    • search (string, optional): search term to filter evidence by name or subject name
    • latest (boolean, optional): if true, only the latest evidence for each kind and name is returned
    • hide_attestation (boolean, optional): if true, excludes attestation evidence from the results
    • product_id (string, optional): ID of the product to filter evidence by
    • product_version_id (string, optional): ID of the product version to filter evidence by
    • limit (number, optional): maximum number of results to return per page
Returns: object with evidence data. Example: 
{
  "results": [
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "name": "my-helm-chart",
      "digest": "sha256:abc123...",
      "kind": "HELM_CHART",
      "subject_name": "myapp",
      "subject_version": "1.0.0",
      "annotations": {
        "key": "value"
      },
      "organization_id": "660e8400-e29b-41d4-a716-446655440000",
      "organization_name": "My Org",
      "workflow_id": "770e8400-e29b-41d4-a716-446655440000",
      "workflow_name": "build-pipeline",
      "workflow_run_id": "880e8400-e29b-41d4-a716-446655440000",
      "project_id": "990e8400-e29b-41d4-a716-446655440000",
      "project_name": "my-project",
      "project_version_id": "aa0e8400-e29b-41d4-a716-446655440000"
    }
  ]
Example usage: 
violations contains msg if {
  ev := chainloop.evidence({
    "project_name": input.args.project_name,
    "kind": ["HELM_CHART"],
  })

  count(evidences.results) == 0
  msg := sprintf("No HELM_CHART found for project '%s'", [input.args.project_name])
}

chainloop.project_compliance

Retrieves project-level compliance data (see API Reference - ComplianceService/Get project-level compliance evaluation) for all requirements. Use this to check compliance status for a project version.
This feature is only available on Chainloop’s platform paid plans.
Usage: chainloop.project_compliance(filters) Arguments:
  • filters (object): filter object with:
    • project_version_id (string, required): UUID of the project version to check compliance for
    • framework_ids (optional): array of framework IDs. If not provided, returns requirements from all frameworks associated with the project version
    • limit (number, optional): maximum number of results to return per page
Returns: object with compliance evaluation data. Example: 
{
  "evaluations": [
    {
      "requirement_id": "bb0e8400-e29b-41d4-a716-446655440000",
      "requirement_version_id": "cc0e8400-e29b-41d4-a716-446655440000",
      "requirement_revision": 1,
      "name": "sbom-required",
      "display_name": "SBOM Required",
      "description": "All builds must generate an SBOM",
      "project_version_id": "dd0e8400-e29b-41d4-a716-446655440000",
      "framework_id": "ee0e8400-e29b-41d4-a716-446655440000",
      "status": "fail",
      "created_at": "2025-12-10T10:00:00Z"
    }
  ]
}
Example usage: 
violations contains msg if {
  ev := chainloop.project_compliance({
    "project_version_id": input.args.project_version_id,
  })

  some eval in ev.evaluations
  eval.status == "fail"
  msg := sprintf("Requirement '%s' is failing in project", [eval.name])
}