The following functionality is considered experimental and subject to change.
When extended by the experimental platform plugin Chainloop CLI includes powerful runner context gathering capabilities that automatically collect and analyze your CI/CD environment configuration directly from your CI/CD pipelines. This functionality provides deep visibility into your repository’s security posture by examining the branch protection rules, pull request requirements, and commit policies that govern your development workflow. By integrating seamlessly with CI/CD platform’s API, Chainloop can capture real-time configuration data that reflects your current repository settings without requiring manual input or configuration and store it alongside other materials included in the attestation. When executed within a CI/CD environment, the context gathering feature automatically discovers and documents the branch protection settings applied to your repository. This includes comprehensive details about required status checks, restrictions on who can push to protected branches, dismissal policies for stale reviews, and enforcement settings for administrators. The tool also captures pull request protection configurations such as required reviewers, review dismissal rules, and branch update requirements that must be satisfied before merging. Additionally, commit protection details are gathered, including signing requirements, status check policies, and any custom protection rules that have been configured. This automated runner context collection serves multiple purposes within your software supply chain security strategy. The gathered information becomes part of your attestation data, providing auditable evidence of the security controls that were in place during your build and deployment processes. Security teams can leverage this data to verify compliance with organizational policies, while development teams gain visibility into the protection mechanisms safeguarding their code. The context data integrates with Chainloop’s broader attestation framework, ensuring that your repository’s security configuration becomes a permanent, verifiable record alongside your build artifacts and deployment metadata.
The Chainloop platform plugin currently supports GitHub Actions.

Gathering Runner Context

Gathering the CI/CD runner context requires a few steps:

Installing Chainloop CLI with the Experimental Platform Plugin

The first step is to install Chainloop CLI with the experimental platform plugin. You can learn more about installing Chainloop CLI here or just run the following command: 
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --with-platform-plugin
The above command will install the latest version of Chainloop CLI with the latest version of the experimental platform plugin.

Create the Access Token

The second step is to create an access token for Chainloop. In order to gather the comprehensive runner context, Chainloop platform plugin requires an access token with the appropriate access level.
For GitHub create the fine-grained token with the Administration permission set to read.
Once generated, store the personal access token in the CI/CD secrets, we’ve used the ADMIN_PERSONAL_ACCESS_TOKEN secret name.

Request Runner Context During Build

The third step is to request the runner context during the build process. This can be done by adding the following command to your CI/CD pipeline: 
chainloop gather-runner-context --runner-token ${{ secrets.ADMIN_PERSONAL_ACCESS_TOKEN }}
The above command with request the runner context data and store it in the file called runner-context.json.

Add the Runner Context to the Attestation

The fourth step is to add the runner context to the attestation. This can be done by adding the following command to your CI/CD pipeline: 
chainloop att add --value ./runner-context.json --kind CHAINLOOP_RUNNER_CONTEXT
And that’s it, you are ready.