Compliance, Risk Management, and Release Management teams need a seamless way to communicate SDLC security and compliance requirements to development teams. This is critical in organizations with hundreds or thousands of different products.
Chainloop provides a convenient way to model Projects (software products) and Versions. Then, Compliance teams apply Requirements to these projects.
Requirements can be written in a high-level language, like “container images must be signed,” “an AGPL license is forbidden,” “the software must be free from high-severity vulnerabilities,” “code repositories must be configured with least privilege principle access controls,” etc.
Those requirements are grouped into Frameworks, which are attached to the Projects. Frameworks and requirements can come from internal compliance regulations but can also be mapped from well-known external standards and good practices. Some examples are the NIST SSDF and the European CRA. Frameworks and requirements can be:
Built-in: Chainloop provides a good set of pre-built frameworks and requirements that can be directly applied to projects or used as the basis for building custom. Built-in requirements can be used in custom frameworks or copied to custom requirements.
Custom: Organizations can manage their own private org-level frameworks and requirements.
Attach Frameworks to Projects
You can attach any existing compliance framework to any of your projects by editing them from the project view.
Once attached, a set of requirements and an overall compliance score will be shown for each of the attached frameworks.
Comply With Requirements
To comply with the pending requirements, you need to attach policies to your contracts, adding the requirements list during its attachment in the form of [framework-name]/[requirement-name].
In the example below, we are attaching three policies and making them part of 2 requirements.
Once you save the contract and evaluate the policies, the result will be associated with the referenced requirement.
Record Requirement Exceptions
When you attach a compliance framework to a project, a set of expected requirements will be tracked over time, filling up your compliance and security posture.
In some scenarios, not all requirements can be met before performing a release, so in that case, an "exception" can be added to a specific requirement.
The exception will now be considered when calculating the compliance and security posture and recorded in the audit log.
