Skip to main content
In addition to the Rego builtin functions, Chainloop’s Rego engine has been enhanced with additional functions that can be used to interact with Chainloop APIs and features. All API calls to Chainloop services will use the same authentication context configured in the CLI (by using chainloop auth login or CHAINLOOP_TOKEN). This is the list of APIs supported currently:

chainloop.discover

Calls Chainloop’s Discover API. It’s the same as chainloop discover --digest sha256:foobar Usage: chainloop.discover(digest, kind) Arguments:
  • digest (string): artifact digest in the form of sha256:foobar
  • kind (string, optional): optional filter by kind to disambiguate
Returns: same payload as chainloop discover CLI call. A JSON with the artifact metadata and the list of referenced artifacts. Example: 
  {
   "digest": "sha256:79261a7ebb2955f1c54c092bee6ee0e16ad6d096ed51f599412a50b356b247c9",
   "kind": "CONTAINER_IMAGE",
   "downloadable": false,
   "public": true,
   "createdAt": "2025-11-19T10:37:45.937172Z",
   "references": [
      {
         "digest": "sha256:5319f1abba10ae602a92c0e4b5bfd6e59e6dcadaae68c57f0b55cc7ff96d7e57",
         "kind": "ATTESTATION",
         // ... other metadata
      },
      {
         "digest": "sha256:d0d10a109a55c16118c622daefd276a5641be81bb024e1f30eedbef3eb9b9c49",
         "kind": "ATTESTATION",
         // ... other metadata
      },
      {
         "digest": "sha256:ad71aa55f6016aa83a1418bdb1337a889f1df47173ec640813911f0cbb00d3b1",
         "kind": "ATTESTATION",
         // ... other metadata
      }
   ]
}

chainloop.evidence

Lists evidence stored in the platform by querying the Evidence service (see API Reference - EvidenceService/List). Use this to retrieve evidence metadata across projects and workflows for compliance validation.
This feature is only available on Chainloop’s platform paid plans.
Usage: chainloop.evidence(filters) Arguments:
  • filters (object): filter object with optional fields:
    • project_name (string, optional): name of the project to filter by
    • project_version_name (string, optional): name of the project version to filter by
    • kind (array of strings, optional): array of material types to filter by (e.g., ["SBOM_CYCLONEDX_JSON", "HELM_CHART"])
    • workflow_name (array of strings, optional): array of workflow names to filter by
    • search (string, optional): search term to filter evidence by name or subject name
    • latest (boolean, optional): if true, only the latest evidence for each kind and name is returned
    • hide_attestation (boolean, optional): if true, excludes attestation evidence from the results
    • product_id (string, optional): ID of the product to filter evidence by
    • product_version_id (string, optional): ID of the product version to filter evidence by
    • limit (number, optional): maximum number of results to return per page
Returns: object with evidence data. Example: 
{
  "results": [
    {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "name": "my-helm-chart",
      "digest": "sha256:abc123...",
      "kind": "HELM_CHART",
      "subject_name": "myapp",
      "subject_version": "1.0.0",
      "annotations": {
        "key": "value"
      },
      "organization_id": "660e8400-e29b-41d4-a716-446655440000",
      "organization_name": "My Org",
      "workflow_id": "770e8400-e29b-41d4-a716-446655440000",
      "workflow_name": "build-pipeline",
      "workflow_run_id": "880e8400-e29b-41d4-a716-446655440000",
      "project_id": "990e8400-e29b-41d4-a716-446655440000",
      "project_name": "my-project",
      "project_version_id": "aa0e8400-e29b-41d4-a716-446655440000"
    }
  ]
Example usage: 
violations contains msg if {
  ev := chainloop.evidence({
    "project_name": input.args.project_name,
    "kind": ["HELM_CHART"],
  })

  count(evidences.results) == 0
  msg := sprintf("No HELM_CHART found for project '%s'", [input.args.project_name])
}

chainloop.project_compliance

Retrieves project-level compliance data (see API Reference - ComplianceService/Get project-level compliance evaluation) for all requirements. Use this to check compliance status for a project version.
This feature is only available on Chainloop’s platform paid plans.
Usage: chainloop.project_compliance(filters) Arguments:
  • filters (object): filter object with:
    • project_version_id (string, required): UUID of the project version to check compliance for
    • framework_ids (optional): array of framework IDs. If not provided, returns requirements from all frameworks associated with the project version
    • limit (number, optional): maximum number of results to return per page
Returns: object with compliance evaluation data. Example: 
{
  "evaluations": [
    {
      "requirement_id": "bb0e8400-e29b-41d4-a716-446655440000",
      "requirement_version_id": "cc0e8400-e29b-41d4-a716-446655440000",
      "requirement_revision": 1,
      "name": "sbom-required",
      "display_name": "SBOM Required",
      "description": "All builds must generate an SBOM",
      "project_version_id": "dd0e8400-e29b-41d4-a716-446655440000",
      "framework_id": "ee0e8400-e29b-41d4-a716-446655440000",
      "status": "fail",
      "created_at": "2025-12-10T10:00:00Z"
    }
  ]
}
Example usage: 
violations contains msg if {
  ev := chainloop.project_compliance({
    "project_version_id": input.args.project_version_id,
  })

  some eval in ev.evaluations
  eval.status == "fail"
  msg := sprintf("Requirement '%s' is failing in project", [eval.name])
}

chainloop.evidence_prompt

Evaluates evidence using AI-powered analysis. The function sends evidence content along with a prompt to an AI agent for evaluation, enabling automated compliance checks such as license analysis, vulnerability assessment, or custom validation logic.
This feature is only available on Chainloop’s platform paid plans.
Usage: chainloop.evidence_prompt(evidence, prompt) Arguments:
  • evidence (string): CAS digest (sha256:...) or raw evidence content to evaluate
  • prompt (string): the prompt to be passed on to the AI agent for evaluation
Returns: response object with the AI evaluation result. Example: 
{
  "skipped": false,
  "violations": [
    "License 'AGPL-3.0' found in component 'libfoo' is not approved"
  ]
}
When the AI analysis is skipped (e.g., if the feature is not enabled), skipped will be true and violations will be empty. Example usage: 
# Call the evidence_prompt built-in function
prompt_result := chainloop.evidence_prompt(material.hash, "Analyze this SBOM for non-OSS licenses")

# Return violations from AI analysis
violations contains violation if {
  not prompt_result.skipped
  some violation in prompt_result.violations
}

chainloop.download_artifact

Downloads an artifact using the Chainloop CAS service. It allows to inject content into policy evaluation context. Note that binary content will be encoded as base64.
This feature is only available on Chainloop’s platform paid plans.
Usage: chainloop.download_artifact(digest) Arguments:
  • digest (string): CAS digest (sha256:...) of the artifact to download
Returns: raw artifact content. Example usage: 
sbom_content := chainloop.download_artifact(input.args.digest)
parsed := json.unmarshal(sbom_content)

# Return violations from SBOM content
violations contains msg if {
    parsed.bomFormat != "CycloneDX"
    msg := "Only CycloneDX format is supported"
}