Show HN: Chainloop, A Software Supply Chain Attestation solution devs won't hate

[migmartri]

Hi, my name is Miguel and I am very happy to share what's been months worth of work :)

The project has rough edges for sure, but any early feedback, comments or concerns are appreciated!

=== The Problem ===

You work on the Security and Operations (SecOps) team in charge of your organization's Software Supply Chain Security. You feel pretty good about the state of things already, your developer teams are signing their commits, deliverables, scanning for vulnerabilities,… Life is good!

Then you realize that you are not compliant with the latest security requirements. You get referred to slsa.dev and are told that you need to be at least level 3, whatever that means!

Aha! I “just” need to implement an attestation and artifact layer in our Software Supply Chain, which you complete after a couple of months of work.

Now to the easy part (or what you think). To make the developer teams adopt it.

You quickly realize that standardizing best practices and security requirements is very hard. Development and SecOps team dynamics are clashy and poorly defined due to priorities mismatch. Also, from the developer's point of view, it’s very time-consuming and frustrating to pollute your CI/CD systems with convoluted, error-prone and complex processes to comply with the SecOps team.

So there has to be a better way that satisfies both sides...

=== The Solution ===

Enter Chainloop. You can think of it as an API for your organization's Software Supply Chain that both parties can use to interact effectively to meet their mismatched priorities.

SecOps teams regain security compliance, visibility, standardization and control by having a mechanism to define and propagate attestation requirements. Developers, on the other hand, get jargon-free tooling that can be used to meet compliance with minimum friction and effort.

=== Give it a try ===

Eager for feedback from the community so please reach out. Happy to chat!

Thanks!

PS: You can see an attestation end-to-end demo here https://www.youtube.com/watch?v=Q_0dlBqKtIU&t=384s

[newaccount2023]

supply chain will have to be some kind of federated and distributed mechanism

there is absolutely no way a single startup can hope to be the single source of truth, that is a recipe for disaster just like we are now seeing with hub.docker.com

[candiddevmike]

That's happening already: https://www.sigstore.dev/

Anyone who talks about supply chain and doesn't mention/integrate with sigstore hasn't done their homework, IMO.

[migmartri]

hi, Chainloop developer here.

I completely agree with your comment. We might be doing a poor job at explaining what Chainloop is compared to Sigstore.

Chainloop is built on top of Sigstore's (among from others) great OSS building blocks. We use cosign, in-toto and DSSE for generation or OCI for storing the attestations. It's true that today the signing is done using a asymmetric cosign key at the moment of the attestation crafting but we have plans on implementing keyless/identity signing and verifying using Sigstore fulcio+rekor.

[mpermar]

Great stuff! Would love to know your take on Sigsum (sigsum.org) and also on how it compares to Sigstore ( https://git.sigsum.org/sigsum/tree/archive/2022-03-15-notes-... ).

I found that reading and the project itself fascinating but not sure about how solid the project/analysis is.

[migmartri]

Thanks!

I am afraid I don't have a formed opinion on the sigsum project yet.

Thanks for the pointer though, it indeed looks interesting, it might come handy once we start the effort of adding a transparent log (i.e rekor) to Chainloop.

[migmartri]

Chainloop is not designed nor implemented with that centralization concept in mind.

It is meant to run as any other OSS infrastructure piece in your Software Supply Chain. The source of truth that we describe, it's about providing organizations with a single mechanism to define, ingest and route metadata and artifacts to their final destination (i.e artifactory, OCI registry, ...)

[amberfarmland]

How do you plan to weed out the current players in the market?

[migmartri]

One step at the time. First, let's make something people love :)