Material Types
Chainloop supports the following pieces of evidence types that can be attached during the attestation process.
| Name | ID | Description |
|---|---|---|
| Artifact Type | ARTIFACT | It represents a software artifact. |
| Attestation | ATTESTATION | Existing Chainloop attestations. |
| BlackDuck SCA | BLACKDUCK_SCA_JSON | |
| Container Image Reference | CONTAINER_IMAGE | A reference to a container image. It will get resolved and referenced by its sha |
| CSAF Informational Advisory | CSAF_INFORMATIONAL_ADVISORY | |
| CSAF Security Advisory | CSAF_SECURITY_ADVISORY | |
| CSAF Security Incident Report | CSAF_SECURITY_INCIDENT_RESPONSE | |
| CSAF VEX | CSAF_VEX | |
| Custom Evidence Type | EVIDENCE | Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc. |
| Gitlab Security report | GITLAB_SECURITY_REPORT | Gitlab Security reports in JSON format |
| Helm Chart | HELM_CHART | A released Helm chart in tarball format |
| JUnit | JUNIT_XML | |
| OpenVEX | OPENVEX | Open Vulnerability and Exposure eXchange (OpenVEX) format |
| SARIF | SARIF | |
| CycloneDX SBOM | SBOM_CYCLONEDX_JSON | A CycloneDX Software Bill of Materials (SBOM) in JSON format |
| SPDX SBOM | SBOM_SPDX_JSON | An SPDX Software Bill of Materials (SBOM) in JSON format |
| Key-Value metadata pairs | STRING | |
| PrismaCloud Twistcli Scan | TWISTCLI_SCAN_JSON | |
| ZAP DAST zip report | ZAP_DAST_ZIP | Zap DAST report in zip format that matches the format returned from Zap's GitHub Action |
See below an example on how to use them in your contract or refer to this guide to learn more about how to use them.
skynet.contract.yaml
schemaVersion: v1
# Arbitrary set of annotations can be added to the contract and will be part of the attestation
annotations:
- name: version
value: oss # if the value is left empty, it will be required and resolved at attestation time
# https://docs.chainloop.dev/reference/operator/material-types
materials:
# CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
- type: CONTAINER_IMAGE
name:
skynet-control-plane
# The output flag indicates that the material will be part of the attestation subject
output: true
# Arbitrary annotations can be added to the material
annotations:
- name: component
value: control-plane
# The value can be left empty so it can be provided at attestation time
- name: asset
# ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS)
# Optional dockerfile
- type: ARTIFACT
name: dockerfile
optional: true
# SBOMs will be uploaded to the artifact registry and referenced in the attestation
# Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
- type: SBOM_CYCLONEDX_JSON
name: skynet-sbom
# CSAF_VEX and OPENVEX are supported
- type: OPENVEX
name: disclosure
# And static analysis reports in SARIF format
- type: SARIF
name: static-out
# or additional tools
- type: TWISTCLI_SCAN_JSON
name: scan-result
# https://docs.chainloop.dev/reference/policies
policies:
materials: # policies applied to materials
- ref: file://cyclonedx-licenses.yaml
attestation: # policies applied to the whole attestation
- ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2)
# Env vars we want the system to resolve and inject during attestation initialization
# Additional ones can be inherited from the specified runner context below
envAllowList:
- CUSTOM_VAR
# Enforce in what runner context the attestation must happen
# If not specified, the attestation crafting process is allowed to run anywhere
runner:
type: "GITHUB_ACTION"