Skip to main content

Material Types

Chainloop supports the following pieces of evidence types that can be attached during the attestation process.

NameIDDescription
Artifact Type ARTIFACT It represents a software artifact.
Attestation ATTESTATION Existing Chainloop attestations.
BlackDuck SCA BLACKDUCK_SCA_JSON
Container Image Reference CONTAINER_IMAGE A reference to a container image. It will get resolved and referenced by its sha
CSAF Informational Advisory CSAF_INFORMATIONAL_ADVISORY
CSAF Security Advisory CSAF_SECURITY_ADVISORY
CSAF Security Incident Report CSAF_SECURITY_INCIDENT_RESPONSE
CSAF VEX CSAF_VEX
Custom Evidence Type EVIDENCE Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc.
GitHub Advanced Security Code scans GHAS_CODE_SCAN
GitHub Advanced Security Dependency scans GHAS_DEPENDENCY_SCAN
GitHub Advanced Security Secret scans GHAS_SECRET_SCAN
Gitlab Security report GITLAB_SECURITY_REPORT Gitlab Security reports in JSON format
Helm Chart HELM_CHART A released Helm chart in tarball format
JaCoCo XML Report JACOCO_XML
JUnit JUNIT_XML
OpenVEX OPENVEX Open Vulnerability and Exposure eXchange (OpenVEX) format
SARIF SARIF
CycloneDX SBOM SBOM_CYCLONEDX_JSON A CycloneDX Software Bill of Materials (SBOM) in JSON format
SPDX SBOM SBOM_SPDX_JSON An SPDX Software Bill of Materials (SBOM) in JSON format
Key-Value metadata pairs STRING
PrismaCloud Twistcli Scan TWISTCLI_SCAN_JSON
ZAP DAST zip report ZAP_DAST_ZIP Zap DAST report in zip format that matches the format returned from Zap's GitHub Action

See below an example on how to use them in your contract or refer to this guide to learn more about how to use them.

skynet.contract.yaml
schemaVersion: v1
# Arbitrary set of annotations can be added to the contract and will be part of the attestation
annotations:
- name: version
value: oss # if the value is left empty, it will be required and resolved at attestation time

# https://docs.chainloop.dev/reference/operator/material-types
materials:
# CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
- type: CONTAINER_IMAGE
name:
skynet-control-plane
# The output flag indicates that the material will be part of the attestation subject
output: true
# Arbitrary annotations can be added to the material
annotations:
- name: component
value: control-plane
# The value can be left empty so it can be provided at attestation time
- name: asset
# ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS)
# Optional dockerfile
- type: ARTIFACT
name: dockerfile
optional: true
# SBOMs will be uploaded to the artifact registry and referenced in the attestation
# Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
- type: SBOM_CYCLONEDX_JSON
name: skynet-sbom
# CSAF_VEX and OPENVEX are supported
- type: OPENVEX
name: disclosure
# And static analysis reports in SARIF format
- type: SARIF
name: static-out
# or additional tools
- type: TWISTCLI_SCAN_JSON
name: scan-result

# https://docs.chainloop.dev/reference/policies
policies:
materials: # policies applied to materials
- ref: file://cyclonedx-licenses.yaml
attestation: # policies applied to the whole attestation
- ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2)

# Env vars we want the system to resolve and inject during attestation initialization
# Additional ones can be inherited from the specified runner context below
envAllowList:
- CUSTOM_VAR

# Enforce in what runner context the attestation must happen
# If not specified, the attestation crafting process is allowed to run anywhere
runner:
type: "GITHUB_ACTION"