v0.30.0

This release sets the stage for exciting new features coming to Chainloop.

Jenkins Support

@buccarel has added support to Jenkins in this new release 🙌🏼 🚀

Referrer API

You can now query Chainloop for relationship between pieces of evidence, artifacts, and associated attestations via a discover API #415

Conceptually, this is similar to what the OCI referrer API does but across all cas-backends and Chainloop organizations. In any case, we plan on propagating this index to OCI natively.

For example, let's say that you know a container image hashicorp/vault-k8s@sha256:4500e988b7ce9f10d25930ac2ea7e29fda6a0fe239e22be653a3ea0549a84a55 . You can inspect in what attestations this container image appears.

$ chainloop discover -d sha256:4500e988b7ce9f10d25930ac2ea7e29fda6a0fe239e22be653a3ea0549a84a55

{
   "digest": "sha256:4500e988b7ce9f10d25930ac2ea7e29fda6a0fe239e22be653a3ea0549a84a55",
   "kind": "CONTAINER_IMAGE",
   "downloadable": false,
   "createdAt": "2023-11-09T13:33:08.059074Z",
   "references": [
      {
         "digest": "sha256:157cb0891dd6fa4df340471ba1e834b114bf845328cb2f6bfb0aa9acc6ec6f88",
         "kind": "ATTESTATION",
         "downloadable": true,
         "createdAt": "2023-11-09T13:33:08.057887Z",
         "references": []
      }
   ]
}

As you can see, there is a reference to an attestation. Let's keep pulling the thread 🪄

$ chainloop discover -d sha256:157cb0891dd6fa4df340471ba1e834b114bf845328cb2f6bfb0aa9acc6ec6f88

{
   "digest": "sha256:157cb0891dd6fa4df340471ba1e834b114bf845328cb2f6bfb0aa9acc6ec6f88",
   "kind": "ATTESTATION",
   "downloadable": true,
   "createdAt": "2023-11-09T13:33:08.057887Z",
   "references": [
      {
         "digest": "sha1:b7d4b3a6fabdd2e6f19b834870bbc728d92f413f",
         "kind": "GIT_HEAD_COMMIT",
         "downloadable": false,
         "createdAt": "2023-11-09T13:32:18.923814Z",
         "references": []
      },
      {
         "digest": "sha256:08b98b03efba73e3d0affea9b0b321641ae7faaada72ab21fbbece5c4a9682fc",
         "kind": "ARTIFACT",
         "downloadable": true,
         "createdAt": "2023-11-09T13:33:08.052813Z",
         "references": []
      },
      {
         "digest": "sha256:285d7fb8aace379c460745a11baafdfa4f39a6234c69bcbf944caab5a442906e",
         "kind": "ARTIFACT",
         "downloadable": true,
         "createdAt": "2023-11-09T13:33:08.054857Z",
         "references": []
      },
      {
         "digest": "sha256:4500e988b7ce9f10d25930ac2ea7e29fda6a0fe239e22be653a3ea0549a84a55",
         "kind": "CONTAINER_IMAGE",
         "downloadable": false,
         "createdAt": "2023-11-09T13:33:08.059074Z",
         "references": []
      },
      {
         "digest": "sha256:cb98bdbb49e9e22d36b5baa17dde7a18956485771c8587fa59413f3d14210ed2",
         "kind": "SBOM_SPDX_JSON",
         "downloadable": true,
         "createdAt": "2023-11-09T13:33:08.056048Z",
         "references": []
      },
      {
         "digest": "sha256:d20d817bbfab6a2091e4bdd31f0466fb18af4a84be1bf43427c1c8ca8a65cd31",
         "kind": "SBOM_CYCLONEDX_JSON",
         "downloadable": true,
         "createdAt": "2023-11-09T13:33:08.060168Z",
         "references": []
      }
   ]
}

You can now see all the pieces of evidence associated with this attestation along with their content digest. These can be downloaded, too!

chainloop artifact download -d sha256:d20d817bbfab6a2091e4bdd31f0466fb18af4a84be1bf43427c1c8ca8a65cd31
INF downloading file name=cyclonedx.json to=/home/migmartri/work/chainloop/cloud/cyclonedx.json
100.00% [#################.] [202.64KB in 345.663ms; 586.23KB/s] ... 
 ... done! [202.64KB in 580ms; 349.17KB/s]

Get attestations via digest

Remember that attestation that was shown above in the discovery index? Now, you can quickly get it with the CLI by providing its digest!

$ chainloop workflow run describe --digest sha256:157cb0891dd6fa4df340471ba1e834b114bf845328cb2f6bfb0aa9acc6ec6f88 -o statement 

{             
   "type": "https://in-toto.io/Statement/v1",
   "subject": [                                                                                                                           
      {       
         "name": "chainloop.workflow.process_vac_containers",
         "digest": {
            "sha256": "117151a471d07764193ead79f38a97cf74b3815cefc8955a2a3fcbb1a4afbe06"
         }                  
      },                                      
      {                                                        
         "name": "git.head",                                   
         "digest": {
            "sha1": "b7d4b3a6fabdd2e6f19b834870bbc728d92f413f"
         },                                                                                                                               
         "annotations": {

            "date": "2023-11-09T13:30:54Z",
            "message": "temporary fix for enriched cycclonedx\n\nSigned-off-by: Daniel Liszka \u003c[email protected]\u003e\n",
...

What's Changed

• Bump Helm Chart Version => v0.25.0 by @github-actions in #407
• Reduce the size by stripping debug symbols by @danlishka in #410
• chore(ci): bump chainloop CLI to v0.25.0 by @migmartri in #409
• fix(ci): detect generated API missing by @migmartri in #412
• fix(controlplane): bubble up authorization permission by @migmartri in #408
• feat(runner): Integrate runner for Jenkins jobs by @buccarel in #411
• chore: clear some unintended trailing spaces by @buccarel in #413
• chore: display jenkins job type in runner column by @buccarel in #421
• fix(api): remove empty properties description by @javirln in #422
• fix(DB): cleanup items on organization deletion by @migmartri in #423
• feat(referrers): persistence layer by @migmartri in #416
• feat(referrers): API endpoint by @migmartri in #424
• feat(cli): retrieve worklowRun by attestation digest by @migmartri in #425

New Contributors

• @javirln made their first contribution in #422

Full Changelog: v0.25.0...v0.30.0