Skip to main content
This feature is only available on Chainloop’s platform paid plans.
Important: A “project” is different than a “product”, as well as a “project version” is different than a “product version”.Project versions represent the version of the component while product versions represent the version of the product. Products and project versions can evolve independently.
Products can be seen as a collection of projects (components) to enable product management capabilities and become an entry point to manage compliance, alerting, and user access configuration at scale. Products can be organized within Business Units, which are top-level organizational entities that help structure your organization by grouping related products together. This includes, but is not limited to, being able to:
  • Organize products within Business Units for better organizational structure and management
  • Attach frameworks at the product level, including applicability configuration, and get aggregated compliance reports.
  • Manage user access (RBAC) at the product level that can be used for product management functions, as well as giving users access to the underlying projects today.
  • (not yet available) Offer product release management capabilities that include the ability to track versions of a product that are linked to the versions of the underlying projects.

Creating a product

Products can be created only through the Chainloop UI.
  1. Navigate to the Products section in the left sidebar.
  2. Click on the Create Product button.
Create products
  1. Fill in the product details:
    • Name: The name of the product.
    • Description: A brief description of the product.
    • Business Unit (optional): Select a business unit to associate this product with for organizational purposes.
  2. Click on Create to finalize the product creation.
You can assign products to Business Units to organize them by department, division, or any other organizational structure that makes sense for your company.

Creating a product version

Important: A “project” is different than a “product”, as well as a “project version” is different than a “product version”.Project versions represent the version of the component while product versions represent the version of the product. Products and project versions can evolve independently.
Product version help you manage different releases or frozen states of your product. While creating a new version you can select the projects and the versions it should contain as well as enabling the applicability configuration. Product version form

Configuring compliance applicability

The Compliance Applicability matrix allows you to define compliance applicability at the product level and tweak it down to the project level. This sounds complicated, but long story short, it allows compliance and product managers to mark frameworks as a whole or specific requirements as non-applicable (optionally providing a reasoning) for specific underlying projects, reducing the configuration burden. Let’s see an example. Below, you can see a compliance applicability configuration for the compliance framework “Chainloop best practices.” On the left side, you can see the applicability for the whole product version (Chainloop Platform v1.235) and whether the underlying projects inherit or “override” the applicability. Compliance Applicability Matrix At the product level, we are disabling “helm-chart-signed” requirement, indicating the rationale. Further down, in the CLI, we indicate that the container-signed requirement does not apply to this project either. Compliance Applicability Matrix

Adding users and groups to a product

  1. You can manage user access by clicking the “Manage members and groups” option within the product. members
Users and groups can be added to the product with specific roles, such as Product Admin or Product Viewer.
  • Product Admins have full access to manage the product, including attaching compliance frameworks and managing user access.
  • Product Viewers have read-only access to the product and its associated projects, unless they have a specific project role that grants them additional permissions.
roles

Editing products

Select “Edit Product” in the product menu to edit the product properties, including attaching additional compliance frameworks. edit product

Release a version

At any time you can release a version of your product by clicking on the “Release” button in the product version menu. This will pin the underlying projects to the current version in practice creating an snapshot of the product compliance posture.

Compliance Overview

The Compliance Overview tab in the product view provides a comprehensive view of all compliance frameworks and requirements associated with your product version. This centralized dashboard allows you to monitor compliance status across all underlying projects and drill down into specific requirements. Product Compliance

Key Features

  • Framework-level visibility - View all compliance frameworks attached to the product with overall status
  • Requirement drill-down - Expand requirements to see detailed information and rationale
  • Project breakdown - See which underlying projects are passing or failing each requirement through the “Project Breakdown” expandable section
  • Filtering capabilities - Filter by Framework, Status (All/Passing/Failing), and Check Type (Any/Automated/Manual)
  • Status indicators:
    • Green checkmark: Requirement is passing across all applicable projects
    • Yellow warning: Requirement has mixed results (some projects passing, some failing)
    • Gray: No evaluation data available
  • Evaluation timestamps - See when each requirement was last evaluated
This view enables product managers and compliance teams to understand the overall compliance posture of a product and quickly identify which projects need attention for specific requirements.

Evidence Tab

The Evidence tab in the product view provides a comprehensive view of all pieces of evidence associated with a specific product version and its underlying projects. This centralized location allows you to inspect and filter all the materials that have been collected through attestations across all projects within the product. Product Evidence Tab

Filtering Evidence

The Evidence tab supports filtering by Material Type, making it easy to focus on specific types of evidence:
  • Artifacts - Software artifacts, container images, Helm charts, and generic artifacts
  • Provenance - Supply chain provenance and attestation data
  • SBOMs - Software Bill of Materials in CycloneDX and SPDX formats
  • VEX Documents - Vulnerability exploitability assessments in OpenVEX and CSAF VEX formats
  • Vulnerability Reports - Vulnerability scan results in SARIF format
This view helps security and compliance teams quickly access and review all evidence for a product version, supporting audit and compliance workflows at the product level.