Releases: chainloop-dev/chainloop
v0.16.0
Highlights
CAS Artifact download endpoint
You can now download any attestation or artifact uploaded to the CAS by accessing the download endpoint and providing the sha256 of the asset.
Improved GKE support
@zaibon has done an incredible job at improving the Helm Chart to run natively in GKE which includes, GCP secret manager, cloud-sql proxy and GCP ingress support!
Shoutout
Shoutout to our 2 new contributors @zaibon and @miguelaeh, thanks and welcome!
Changelog
- e04db41 feat(deployment): support downloading redirect (#310)
- f36a986 feat(controlplane): CAS download endpoint (#307)
- 5335cda feat(controlplane): upload attestation to CAS (#308)
- 126f47b fix(deployment): chart should work with old version of code (#306)
- 35ff398 feat(deployment): expose HTTP server for CAS (#305)
- 9853beb feat(cas): download endpoint (#294)
- a7bb2a5 feat(deployment): allow to configure annotations of controlplane service (#301)
- 5bde39e chore(chart): release chart with GCP secret manager fix (#299)
- 4cb7b0c fix(deployment): include cloud-sql auth proxy in migration job when needed (#300)
- 6118412 feat(slack): truncate message (#292)
- b6b2fe7 fix(deployment): properly expose service account key for secret manager (#296)
- f6ec84d feat: show annotations in notifications (#289)
- 2255ac9 chore: bump chainloop to v0.15.0 (#288)
- 1d6a571 chore(ci): update Chainloop contract (#283)
- 9ecf1aa chore: Bump Chart Version v0.15.0 (#286)
Contributors
Assets 15
v0.15.0
Highlights
Azure DevOps Pipelines Support
Official support for Azure DevOps Pipelines have been added to Chainloop. Learn more about what means here
Annotations and dynamic integration routing
You can now define custom annotations in your Contract that will be required during attestation time. These annotations can be attached to both the attestation globally or to materials individually. Then, they will end up encoded in the attestation but also can be used to dynamically configure integrations #252
Example of contract with annotations
{
"schemaVersion": "v1",
"annotations": [
{
"name": "branch",
"value": "stable"
}
],
"materials": [
{
"type": "SBOM_CYCLONEDX_JSON",
"name": "controlplane-sbom",
"annotations": [
{
"name": "component",
"value": "controlplane"
}
]
},
{
"type": "SBOM_CYCLONEDX_JSON",
"name": "cas-sbom",
"annotations": [
{
"name": "component",
"value": "cas"
}
]
}
]
}These annotations will be then added to the in-toto attestation like
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "chainloop.dev/attestation/v0.2",
..
],
"predicate": {
"annotations": {
"branch": "stable"
},
...
"materials": [
{
"annotations": {
"chainloop.material.cas": true,
"chainloop.material.name": "cas-sbom",
"chainloop.material.type": "SBOM_CYCLONEDX_JSON",
"component": "cas"
},
"digest": {
"sha256": "ebe2e6ffab93f4b2e2743d3557bd094427ea059adc78cfe2cd330a72f61731e8"
},
"name": "sbom.cp.cyclonedx.json"
},
{
"annotations": {
"chainloop.material.cas": true,
"chainloop.material.name": "controlplane-sbom",
"chainloop.material.type": "SBOM_CYCLONEDX_JSON",
"component": "controlplane"
},
"digest": {
"sha256": "ebe2e6ffab93f4b2e2743d3557bd094427ea059adc78cfe2cd330a72f61731e8"
},
"name": "sbom.cp.cyclonedx.json"
}
],
"metadata": {
...
}
}and then they can be used during Dependency-Track integration attachment to dynamically generate a project name
$ chainloop attached add --workflow ... --integration ... --opt projectName="{{.Material.Annotations.component}}-{{ .Attestation.Annotations.branch }}" pushing both SBOMs to their respective projects
Other changes
The attestation UX has been improved with a simpler materials table that now includes annotations, split the digest from the material type and makes better use of the vertical space :)
┌───────────────────────────────────────────────────────┐
│ Workflow │
├────────────────┬──────────────────────────────────────┤
│ ID │ 3e4ef02c-0f33-4248-84be-8a55ea2e3cb0 │
│ Name │ only-sbom │
│ Team │ │
│ Project │ foo │
├────────────────┼──────────────────────────────────────┤
│ Workflow Run │ │
├────────────────┼──────────────────────────────────────┤
│ ID │ 37b75984-be1e-459f-a52e-3af120c35861 │
│ Initialized At │ 31 Jul 23 11:40 UTC │
│ Finished At │ 31 Jul 23 11:40 UTC │
│ State │ success │
│ Runner Link │ │
├────────────────┼──────────────────────────────────────┤
│ Statement │ │
├────────────────┼──────────────────────────────────────┤
│ Payload Type │ application/vnd.in-toto+json │
│ Verified │ false │
└────────────────┴──────────────────────────────────────┘
┌───────────────────────────────────────────────────────────────────────────────────────┐
│ Materials │
├─────────────┬─────────────────────────────────────────────────────────────────────────┤
│ Name │ cas-sbom │
│ Type │ SBOM_CYCLONEDX_JSON │
│ Value │ sbom.cp.cyclonedx.json │
│ Digest │ sha256:ebe2e6ffab93f4b2e2743d3557bd094427ea059adc78cfe2cd330a72f61731e8 │
│ Annotations │ ------ │
│ │ component: cas │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Name │ controlplane-sbom │
│ Type │ SBOM_CYCLONEDX_JSON │
│ Value │ sbom.cp.cyclonedx.json │
│ Digest │ sha256:ebe2e6ffab93f4b2e2743d3557bd094427ea059adc78cfe2cd330a72f61731e8 │
│ Annotations │ ------ │
│ │ component: controlplane │
└─────────────┴─────────────────────────────────────────────────────────────────────────┘
Changelog
- b2a5117 feat(dependency-track): support global annotations in project name (#285)
- d625c2f feat: global annotations support (#284)
- 1f82638 feat(dependecy-track): interpolated project name (#282)
- c78fb7e feat: Azure Devops Pipeline support (#276)
- 0945ae9 feat(attestation): allow runtime annotations (#281)
- e1672fa fix(dispatcher): do not fail if credentials are missing (#277)
- 5c9e84f feat(attestation): update status output (#280)
- c5b6a1b feat: custom annotations (#278)
- 0264f95 feat: do not fail on cas backend (#275)
- ac35f0a chore: remove OCI repository references (#274)
- 798e18c fix(slack): add empty line before escape lines (#270)
- 7913d64 chore(ci): check generated controlplane migrations (#257)
- be30ebf feat(deployment): enable SSL during migration (#267)
v0.14.0
Highlights
Inline CAS Backend
We've revamped the CAS backend support by
- Enabling a first-class CLI interation #223
- Adding a built-in, default, inline CAS support #201: This means that you can start using Chainloop right away without the need of setting up an actual CAS backend (i.e OCI repository).
$ chainloop cas-backend ls
┌──────────────────────────────────────┬─────────────────────────────────────┬──────────┬─────────────────────────────────────┬───────────────┬─────────┐
│ ID │ LOCATION │ PROVIDER │ DESCRIPTION │ LIMITS │ DEFAULT │
├──────────────────────────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┤
│ 50536265-ba6f-4be2-87ce-1d584836832f │ │ INLINE │ Embed artifacts content in the atte │ MaxSize: 500K │ false │
│ │ │ │ station (fallback) │ │ │
├──────────────────────────────────────┼─────────────────────────────────────┼──────────┼─────────────────────────────────────┼───────────────┼─────────┤
│ c9858de4-bd9d-4a07-97a6-b24e49b03037 │ europe-west1-docker.pkg.dev/axiomat │ OCI │ │ MaxSize: 100M │ true │
│ │ ic-grove-366622/chainloop-cas │ │ │ │ │
└──────────────────────────────────────┴─────────────────────────────────────┴──────────┴─────────────────────────────────────┴───────────────┴─────────┘Improved workflow onboarding
We're aware that the user experience for new users could be much better and that's why apart of removing the CAS requirements via the inline backend described above, we are also simplifying the way you can now get started with a new workflow.
Now, with a single workflow create command you will not only get the workflow and a contract, but also a robot account ready to be imported in your CI/CD system, for example
$ chainloop wf create --name openai-devel --project chainloop
┌──────────────────────────────────────┬──────────────┬───────────┬─────────────────────┬────────┬─────────────────┐
│ ID │ NAME │ PROJECT │ CREATED AT │ RUNNER │ LAST RUN STATUS │
├──────────────────────────────────────┼──────────────┼───────────┼─────────────────────┼────────┼─────────────────┤
│ 5bdd8f55-4a90-4fcc-a1ce-2c04ba887170 │ openai-devel │ chainloop │ 20 Jul 23 15:08 UTC │ │ │
└──────────────────────────────────────┴──────────────┴───────────┴─────────────────────┴────────┴─────────────────┘
This is automatically generated Robot Account Token (ID: 5637a326-ddf8-4d21-a8cf-1daf5c7e1f0c). Save the following token since it will not printed again:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.REDACTED.J_U-GmKGXO2yO8npF5XdBFlLHA4BQ4tpcm5Azzf_Ho8
Improved notifications experience #250
Slack, Discord and email plugins now send not only more information but better formated
Other changes
- The Chainloop control-plane image now runs Dependency-Track and Email as actual plugins and are packaged as separated binaries for your security.
Have fun! 🎉
Changelog
- 3112af6 chore(ci): disable upx (#260)
- a039a64 Bump Chart Version v0.14.0 (#258)
- 9054ebc feat(cli): robot account automatically created during the workflow creation (#253)
- 51a93d0 fix(ci): pin go version (#256)
- 764e50f feat: add summary table in plugins SDK (#250)
- 0e4ed8e chore(plugins): enable smtp and dependency-track (#251)
- fc76074 feat: default inline CAS backend fallback (#247)
- 7c5572f feat: inline CAS backend support in client (#246)
- b5f58e7 chore: refactor cas backend providers (#243)
- 2cba9e0 feat(controlplane): soft-delete CAS backends (#242)
- d6e7b66 chore(ci): compress binaries (#241)
- e1ea11b feat(controlplane): update cas-backends (#240)
- 63d89d5 feat(controlplane): add OCI cas-backend (#239)
- e2dce30 feat(api): list cas-backends (#238)
- 6b408bb feat(controlplane): make cas-backend used during attestation immutable (#237)
- f3dec39 chore(controlplane): s/oci_repository/cas_backend/g (#236)
- 669878e docs(deployment): make links absolute (#235)
- df77436 docs: fix deployment example (#234)
- 6f7e079 feat(deployment): Add support for GCP secret manager to Helm charts (#225)
- 1267bdf feat(deployment): enable plugins (#233)
- ed21026 feat(deployment): perform database migrations (#222)
v0.13.0
Another great release, this one tuning the plumbing and foundations for new features to come!
Highlights
Plugins framework
We added support for fanOut integrations to become actual plugins. Read more here #207
Versioned migrations
We put in place versioned database migrations so we can have more control on DB schema changes. This is especially important for the upcoming changes related to CAS backends #223
Slack plugin
Send attestation information to Slack via webhooks.
$ chainloop integration available describe --id slack-webhook
┌───────────────┬─────────┬──────────────────────┬────────────────────────────┐
│ ID │ VERSION │ MATERIAL REQUIREMENT │ DESCRIPTION │
├───────────────┼─────────┼──────────────────────┼────────────────────────────┤
│ slack-webhook │ 1.0 │ │ Send attestations to Slack │
└───────────────┴─────────┴──────────────────────┴────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ Registration inputs │
├─────────┬──────────────┬──────────┬──────────────────────────┤
│ FIELD │ TYPE │ REQUIRED │ DESCRIPTION │
├─────────┼──────────────┼──────────┼──────────────────────────┤
│ webhook │ string (uri) │ yes │ URL of the slack webhook │
└─────────┴──────────────┴──────────┴──────────────────────────┘
Changelog
- 17c0867 fix(release): do not fail if we can not attest a material (#231)
- 3b5def0 feat(plugins SDK): implement go-plugin framework (#207)
- 53efa31 fix(cas): return 404 error if artifact does not exist (#227)
- 2e47bd8 feat: support SPDX 2.x (#218)
- bfd154b enhancement(controlplane): versioned migrations support (#220)
- 95f814f feat: Added Slack plugin (#217)
- 9f16aff feat(guac): add video to guide (#215)
- 6148918 chore(ci): Chainloop CLI to v0.12.0 (#214)
- d4b6736 Bump Chart Version v0.12.0 (#213)
v0.12.0
It's that time of the week when a new Chainloop release drops with some exciting features!
Highlights
guacsec/guac integration
We've added a preliminary version of the integration with Guac. This integration allows Chainloop users to automatically send attestation (DSSE envelopes / in-toto statements) and CycloneDX/SPDX Software Bill Of Materials (SBOMs) to a cloud storage bucket staging area. From there, GUAC can be configured to continuously monitor and inject that data.
Please refer to this Readme file for more information on how to use it. You can also find the list of available integrations here
FanOut dispatcher improvements
Our original integrations dispatcher had a somewhat naive operation mode #205. It was invoking the integration code on each material separately. This prevented developers to implement plugins that act on aggregate.
Our new approach, aggregates all the relevant pieces of evidence and sends it once. Then the developer can decide whether to act on aggregate or not.
This new mode enables a myriad of possibilities. From backing up attestation and associated materials all in a transaction to notifying with multiple attachments. The sky is the limit 🚀
Changelog
- 771418e feat(integration): guacsec/guac integration (#211)
- 860e31e feat(integrations): new dispatcher mode (#206)
- 83762fe fix(docs): links in integrations table (#202)
- 1a618da docs(integrations): fix typos (#200)
- bdd1534 chore(docs): update integrations links and code blocks (#199)
- 98e3c5c docs: add list and how to use (#198)
- a52622b docs(integrations): list and initial user guide (#197)
- d9e11f4 docs(extensions): make links absolute (#196)
- 38f42c8 refactor(plugins): s/extension/plugin (#194)
- 6cc5906 feat: extensions readme generator (#191)
- 292d157 docs(extensions): improve some wording (#192)
- 2ca6151 docs(extensions): readme overview (#190)
- bd1c0eb Bump Chart Version v0.11.1 (#188)
- 8d0ea71 fix(ci): package chart only on changes main branch (#186)
v0.11.1
Highlights
Plugin Framework
This release includes a tech preview of our new Plugin Framework for fanout integrations (#38).
- End-User Documentation
- Plugin Framework Documentation
- How to create a new plugin?
- Chainloop Plugins on Github
New integrations
We updated our Dependency Track addon and added new integrations for Discord, OCI Registry, and SMTP.
Discord
By connecting Chainloop with Discord, teams can receive real-time notifications and updates on new attestations sent to Chainloop. This integration promotes collaboration, allowing development and SecOps teams to stay connected. Please refer to our README for more information.
Join our Discord Community Server and check our #activity channel to see this plugin in action.
OCI Registry
With Chainloop's new OCI Registry integration, you can store your attestations securely and reliably in multiple OCI registries. For compliance reasons, you may want to route attestations from different workflows to separate OCI registries. Please refer to our README for more information.
SMTP
Chainloop's SMTP plugin enables easy integration with email services, ensuring attestation notifications are sent to the relevant stakeholders. Please refer to our README for more information.
Attestations
Attestations are now stored in the database by default (#180).
Changelog
- 6beb879 fix(integration): do not fail if can't delete associate credentials (#187)
- 3e52722 fix: nil pointer guard when no attestation is present (#185)
- 22ed5a5 Bump Chart Version v0.11.0 (#181)
- b1767e6 feat(controlplane): store attestation in DB (#180)
- 59caa39 feat(extensions): add Discord extension and additional metadata (#177)
- b2309f2 feat(extensions): show required materials (#173)
- 15d7af7 feat(extensions sdk): add statement and predicate context (#175)
- 1ebea6d docs: Added the troubleshooting section and how to address the docker.sock issue on osx (#171)
- 6d5405e feat(extensions): OCI extension for attestation upload (#169)
- 0311143 feat(cli): reorganize attached integrations (#166)
- 5f69f4f feat(extensions): validate schema options (#167)
- 159b9bf feat(extensions): add description to fanout integration (#164)
- 587170a chore: update template descriptions (#163)
- 7809bc6 feat(extensions): detect duplicated extentions (#165)
- 9305355 feat(cli): Validate and show options during registration/attachment (#161)
- 700eb42 feat: Added SMTP extension (#159)
- 2ae0e82 feat(cli): list/describe available integrations (#154)
- 08adb57 fix: Choose the random port for HTTP Metrics in the development mode to fix the already-in-use port issues on OSX, refs #160
- 2654568 chore(cli): new registered namespace for integrations (#153)
- db5caf0 fix(extensions): documentation for template (#152)
- 5b87b5d chore(controlplane): rename display-name (#151)
- 873d84d chore(api): rename integration.Kind with integration.ExtensionID (#150)
- 918a90b feat(cli): generic integration register and attachment endpoints (#148)
- e20b883 feat(controlplane): list available extensions in the server (#149)
- 400fd77 feat(extension sdk): jsonSchema based input definition (#147)
- cc14230 feat(integrations): add registration display name (#146)
- 8625aea fix(dispatcher): only download materials that are in the CAS (#145)
- e25e6eb doc(integrations): create template (#144)
- 7afd4bd refactor(integrations sdk): UX improvements (#143)
- 682eb17 feat(third-party-integrations): generic dispatcher (#142)
- 3c8422f refactor(integrations): dynamic integrations loader (#141)
- be91c73 Bump Chart Version v0.10.0 (#140)
- 3e7c9d0 feat(third-party integrations): registration and attachment (#114)
v0.10.0
danlishka
Daniel Liszka
Highlights
This release includes
Shout-outs
Congratulations @gr0 for your first contribution! 🎉
Changelog
- 8c37df3 chore: upgrade secret-manager and grpc (#137)
- 1b2410f chore(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.2.0 (#131)
- 795b91d chore(deps): upgrade kratos (#132)
- a0d3ad5 feat: Add support for JUnit XML material type (#135)
- d20db08 refactor(config): extract secret manager configuration (#133)
- 4f95fab chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#112)
- 707a62c chore: remove prefix from CAS (#130)
- 27077d1 feat: Add support for GCP Secret Manager (#124)
- 5b448c5 chore(pb): re-generate bindings using newer version of protoc-gen-go (#129)
- 8e9ccca chore: Update instructions with the new install.sh Github url (#128)
- a812ba2 chore(ci): check go mod tidiness (#126)
- fa993b9 chore(ci): enable cosign verification during chainloop installation (#119)
- 9087ea9 Bump Chart Version v0.9.1 (#118)
Contributors
Assets 15
v0.9.1
v0.9.0
Highlights
This release includes
- A new version of the Chainloop attestation predicate (v0.2). It replaces the previous way of declaring materials in favor of in-toto v0.1 resource descriptors. See #60 for more information
- You can now customize your CLI to by default point to the Chainloop instance you might have deployed on your Kubernetes cluster
Shout-outs
Congratulations @danlishka for your first contribution! 🎉
Changelog
- ed28f86 feat(attestation): enable predicate chainloop.dev/attestation/v0.2 with in-toto ResourceDescriptors (#107)
- e4b5356 feat(cli): allow setting default values for Control Plane and CAS (#109)
- 90c6765 feat(attestation): in-toto 1.0 resource descriptor support (#103)
- 477087c chore: show validation error (#106)
- 4893e30 chore: upgrade cosign/dsse libraries (#102)
- 990496d fix: stabilize materials output (#100)
- ad2e64f docs(deployment): gke monitoring (#95)
- b817df8 chore(deployment): add default annotations to Helm Chart (#94)
- 5d35432 docs(deployment): how to guides (#92)
- 54aaa51 docs: update deployment image (#87)
- 053637d chore(controlplane): remove authURL deprecated code (#86)
- 573d221 chore(ci): bump chainloop attestation CLI (#85)
- 85a082c feat(chart): infer redirect schema (#84)
- d953e4a Bump Chart Version v0.8.99 (#83)
Contributors
Assets 15
v0.8.99
Changelog
- 312b34a fix(ci): bump-chart-version call (#82)
- 88b42a5 feat: improve upstream URL support (#81)
- a3b09aa fix(deployment): hmac secret fix (#80)
- 83559e3 fix(deployment): wrong configuration keys (#79)
- c9c9a38 docs: add deployment instructions (#78)
- 9c4fc24 fix: spurious compute requests (#77)
- 0044608 chore: fix helm chart versioning (#76)
- 04a84ff feat(deployment): enable k8s QoS guaranteed (#75)
- 2756d00 feat(ci): package and push Helm Chart (#73)
- cf5b93f chore(deployment): Vendor Subcharts (#74)
- e20258f fix: close connection (#71)
- 342dd83 Bump Chart Version v0.8.98 (#72)