Built-in material types

Chainloop supports the following pieces of evidence types that can be attached during the attestation process.
NameIDDescription
Artifact TypeARTIFACTIt represents a software artifact.
AttestationATTESTATIONExisting Chainloop attestations.
BlackDuck SCABLACKDUCK_SCA_JSON
Container Image ReferenceCONTAINER_IMAGEA reference to a container image. It will get resolved and referenced by its sha
CSAF Informational AdvisoryCSAF_INFORMATIONAL_ADVISORY
CSAF Security AdvisoryCSAF_SECURITY_ADVISORY
CSAF Security Incident ReportCSAF_SECURITY_INCIDENT_RESPONSE
CSAF VEXCSAF_VEX
Custom Evidence TypeEVIDENCECustom piece of evidence that doesn’t fit in any other category, for instance, an approval report in json format, etc.
GitHub Advanced Security Code scansGHAS_CODE_SCAN
GitHub Advanced Security Dependency scansGHAS_DEPENDENCY_SCAN
GitHub Advanced Security Secret scansGHAS_SECRET_SCAN
GitLab Security reportGITLAB_SECURITY_REPORTGitLab Security reports in JSON format
Helm ChartHELM_CHARTA released Helm chart in tarball format
JaCoCo XML ReportJACOCO_XML
JUnitJUNIT_XML
OpenVEXOPENVEXOpen Vulnerability and Exposure eXchange (OpenVEX) format
SARIFSARIF
CycloneDX SBOMSBOM_CYCLONEDX_JSONA CycloneDX Software Bill of Materials (SBOM) in JSON format
SPDX SBOMSBOM_SPDX_JSONAn SPDX Software Bill of Materials (SBOM) in JSON format
Key-Value metadata pairsSTRING
PrismaCloud Twistcli ScanTWISTCLI_SCAN_JSON
ZAP DAST zip reportZAP_DAST_ZIPZap DAST report in zip format that matches the format returned from Zap’s GitHub Action
SLSA provenance attestationSLSA_PROVENANCESLSA provenance file generated by GitHub or upstream slsa-generator
Chainloop Runner ContextCHAINLOOP_RUNNER_CONTEXTRepresents the runner context in which the attestation is crafted in a JSON format
See below an example on how to use them in your contract or refer to this guide to learn more about how to use them.
skynet.contract.yaml
schemaVersion: v1
# Arbitrary set of annotations can be added to the contract and will be part of the attestation
annotations:
  - name: version
    value: oss # if the value is left empty, it will be required and resolved at attestation time

# https://docs.chainloop.dev/concepts/operator/material-types
materials:
  # CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
  - type: CONTAINER_IMAGE
    name:
      skynet-control-plane
      # The output flag indicates that the material will be part of the attestation subject
    output: true
    # Arbitrary annotations can be added to the material
    annotations:
      - name: component
        value: control-plane
      # The value can be left empty so it can be provided at attestation time
      - name: asset
  # ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS)
  # Optional dockerfile
  - type: ARTIFACT
    name: dockerfile
    optional: true
  # SBOMs will be uploaded to the artifact registry and referenced in the attestation
  # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
  - type: SBOM_CYCLONEDX_JSON
    name: skynet-sbom
  # CSAF_VEX and OPENVEX are supported
  - type: OPENVEX
    name: disclosure
  # And static analysis reports in SARIF format
  - type: SARIF
    name: static-out
  # or additional tools
  - type: TWISTCLI_SCAN_JSON
    name: scan-result

# https://docs.chainloop.dev/concepts/policies
policies:
  materials: # policies applied to materials
    - ref: file://cyclonedx-licenses.yaml 
  attestation: # policies applied to the whole attestation
    - ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2)

# Env vars we want the system to resolve and inject during attestation initialization
# Additional ones can be inherited from the specified runner context below
envAllowList:
  - CUSTOM_VAR

# Enforce in what runner context the attestation must happen
# If not specified, the attestation crafting process is allowed to run anywhere
runner:
  type: "GITHUB_ACTION"

Custom Material Types (Piece of Evidence)

In some cases, you might want to have your custom piece of evidence so you can attest them (as general purpose EVIDENCE material type) and run policies on them. Learn more about the recommended format in this guide.