Chainloop supports the following pieces of evidence types that can be attached during the attestation process.
Name | ID | Description |
ARTIFACT | It represents a software artifact. | |
ATTESTATION | Existing Chainloop attestations. | |
BLACKDUCK_SCA_JSON |
| |
CONTAINER_IMAGE | A reference to a container image. It will get resolved and referenced by its sha | |
CSAF_INFORMATIONAL_ADVISORY |
| |
CSAF_SECURITY_ADVISORY |
| |
CSAF_SECURITY_INCIDENT_RESPONSE |
| |
CSAF_VEX |
| |
EVIDENCE | Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc. | |
GHAS_CODE_SCAN |
| |
GHAS_DEPENDENCY_SCAN |
| |
GHAS_SECRET_SCAN |
| |
GITLAB_SECURITY_REPORT | Gitlab Security reports in JSON format | |
HELM_CHART | A released Helm chart in tarball format | |
JACOCO_XML |
| |
JUNIT_XML |
| |
OPENVEX | Open Vulnerability and Exposure eXchange (OpenVEX) format | |
SARIF |
| |
SBOM_CYCLONEDX_JSON | A CycloneDX Software Bill of Materials (SBOM) in JSON format | |
SBOM_SPDX_JSON | An SPDX Software Bill of Materials (SBOM) in JSON format | |
STRING |
| |
TWISTCLI_SCAN_JSON |
| |
ZAP_DAST_ZIP | Zap DAST report in zip format that matches the format returned from Zap's GitHub Action |
See below an example on how to use them in your contract or refer to this guide to learn more about how to use them.
skynet.contract.yaml
schemaVersion: v1
# Arbitrary set of annotations can be added to the contract and will be part of the attestation
annotations:
- name: version
value: oss # if the value is left empty, it will be required and resolved at attestation time
# https://docs.chainloop.dev/reference/operator/material-types
materials:
# CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
- type: CONTAINER_IMAGE
name:
skynet-control-plane
# The output flag indicates that the material will be part of the attestation subject
output: true
# Arbitrary annotations can be added to the material
annotations:
- name: component
value: control-plane
# The value can be left empty so it can be provided at attestation time
- name: asset
# ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS)
# Optional dockerfile
- type: ARTIFACT
name: dockerfile
optional: true
# SBOMs will be uploaded to the artifact registry and referenced in the attestation
# Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
- type: SBOM_CYCLONEDX_JSON
name: skynet-sbom
# CSAF_VEX and OPENVEX are supported
- type: OPENVEX
name: disclosure
# And static analysis reports in SARIF format
- type: SARIF
name: static-out
# or additional tools
- type: TWISTCLI_SCAN_JSON
name: scan-result
# https://docs.chainloop.dev/reference/policies
policies:
materials: # policies applied to materials
- ref: file://cyclonedx-licenses.yaml
attestation: # policies applied to the whole attestation
- ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2)
# Env vars we want the system to resolve and inject during attestation initialization
# Additional ones can be inherited from the specified runner context below
envAllowList:
- CUSTOM_VAR
# Enforce in what runner context the attestation must happen
# If not specified, the attestation crafting process is allowed to run anywhere
runner:
type: "GITHUB_ACTION"