v0.19.1
Like Swiss clockwork, we are on time for another feature-packed Chainloop release, among the highlights we got...
SARIF, OpenVEX and CSAF VEX support
Chainloop has now first class support for SARIF, OpenVEX and CSAF VEX file formats as pieces of evidence. This means that now these files a) are validated once provided, b) they get uploaded to CAS and injected in the attestation and c) can leverage third-party integrations :)
To add these pieces of evidence as a requirement in your attestation, just update your contract with something like:
schemaVersion: v1
materials:
# CSAF_VEX and OPENVEX are supported
- type: OPENVEX
name: disclosure
# And static analysis reports in SARIF format
- type: SARIF
name: static-out
You can see a full contract example and learn more about these and other material types here
Azure Blob Storage support as Content Addressable Storage (CAS) #357
In addition to OCI-based CAS backends, you can now also configure an Azure Blob Storage Account as a destination for all your SDLC pieces of evidence (SBOMS, artifacts, test results, VEX files) an attestations.
Below you can see a screenshot of how these artifacts will look in Azure. The nice part is that Chainloop will take care of figuring out the nifty details specific to Azure (metadata, naming, tampering checks) so for you, as an user, nothing has changed, you can reference the asset through the sha256 checksum as usual. Ahh, and this work across multiple backends :)
This new feature is now available in the Chainloop CLI
$ chainloop cas-backend ls
┌──────────────────────────────────────┬─────────────────────────────────────┬───────────┬─────────────────────────────────────┬───────────────┬─────────┐
│ ID │ LOCATION │ PROVIDER │ DESCRIPTION │ LIMITS │ DEFAULT │
├──────────────────────────────────────┼─────────────────────────────────────┼───────────┼─────────────────────────────────────┼───────────────┼─────────┤
│ 2fc43734-a8e8-4d17-a790-3365e4da8af4 │ chainloop/chainloop │ AzureBlob │ │ MaxSize: 100M │ true │
├──────────────────────────────────────┼─────────────────────────────────────┼───────────┼─────────────────────────────────────┼───────────────┼─────────┤
...
To learn more on how to set up your Azure Storage Account, ptal at our docs
What's Changed
- Bump Helm Chart Version => v0.18.0 by @github-actions in #345
- fix: least privilege support in automated workflows by @migmartri in #347
- [StepSecurity] Apply security best practices by @step-security-bot in #346
- feat: Split Sentry configuration for individual services by @cristiangauma in #355
- chore: upgrade golang to 1.21 by @jiparis in #349
- Create SECURITY.md by @migmartri in #348
- fix: add pinned dependencies by @migmartri in #354
- feat: CSAF VEX / OpenVEX material type support by @migmartri in #356
- chore: add OpenSSF scorecard by @migmartri in #358
- refactor(CAS proxy): multiple CAS backend providers support by @migmartri in #359
- feat: add SARIF format support by @migmartri in #362
- feat(cas): Azure Blob Storage support by @migmartri in #360
- Bump Helm Chart Version => v0.19.0 by @github-actions in #363
- fix(deployment): wrong labeling templating by @migmartri in #364
- fix(attestation): generic normalization function by @migmartri in #367
- fix: extend http download timeout by @migmartri in #369
New Contributors
- @cristiangauma made their first contribution in #355
- @jiparis made their first contribution in #349
Full Changelog: v0.18.0...v0.19.1