Skip to main content

Overview

Operators can extend Chainloop functionality by setting up third-party integrations that operate on your attestation metadata and workflow events. Integrations can range from sending a Slack message, uploading the attestation to a storage backend or sending a Software Bill Of Materials (SBOMs) to a third-party service for analysis, for example. Integrations Integrations are organized into two categories: Fan-Out and Notification:

Integration Types Comparison

Fan-OutNotification
PurposeDistribute attestations to external systemsSend notifications about product updates and system alerts
ConfigurationRegister per organization, then attach to workflowsRegister per organization, then configured in different scopes
Use Cases• Send attestations to external storage
• Integrate with compliance tools
• Distribute artifacts to registries		• System status notifications
• Storage backends failures & recoveries
• Administrative notifications
ExamplesDependency Track, Webhooks, GUAC, Storage backendsEmail Notification, Microsoft Teams Webhook
Below you can find the list of currently available integrations. If you can’t find the integration you are looking for, feel free to reach out or contribute your own!

Available integrations

Fan-Out Integrations

Fan-Out integrations distribute attestations, SBOMs, and artifacts to external systems.
NameDescriptionSupported Metadata
dependency-trackSend CycloneDX SBOMs to your Dependency-Track instanceSBOM
discord-webhookSend attestations to DiscordAttestation
guacExport Attestation and SBOMs metadata to a blob storage backend so guacsec/guac can consume itSBOM
slack-webhookSend attestations to SlackAttestation
smtpSend emails with information about a received attestationAttestation
webhookSend attestations and SBOMs to a generic POST webhook URLAttestation, SBOM

Notification Integrations

This feature is only available on Chainloop’s platform paid plans.
Notification integrations send alerts about workflow events and system status. Check the Notifications documentation for more details.

Setting up integrations

Both Fan-Out and Notification integrations follow the same registration process. The key difference is how they are used after registration:
  • Fan-Out integrations are attached to individual workflows
  • Notification integrations are configured at different scopes for alerting purposes (Organization-level, Product-level)

Step 1: Check available integrations

First, make sure that the integration you are looking for is available in your Chainloop instance:
  • Web UI
  • CLI
Go to the Integrations page and check if the integration you are looking for is available.Integrations

Step 2: Register the integration

Registration is when a specific instance of the integration is configured in a Chainloop organization. A registered instance is then available to be attached to workflows (for Fan-Out) or configured globally (for Notifications). Each registration shows its configuration status in the UI. In our case, as an example, we want to register an instance of the webhook integration.
  • Web UI
  • CLI
To do so, click on the integration. You’ll see two sections: Registration inputs, and Attachment inputs.IntegrationsRegistration inputs are a one-time set of fields required to register the integration in your organization. In this case, the URL of the webhook. However, Attachment inputs are properties set at the workflow level, which can vary from one workflow to another within the same organization.Click “Add Registration” to set the URL valueIntegrationsIntegrationsAfter clicking “Register” you’ll see your integration in the “Registrations” tab:Integrations

Step 3: Attaching Fan-Out integrations to workflows

For Notification integrations: Check the Notifications documentation for reference.
Once the integration is registered, the next step depends on the integration type: Attach the integration to specific workflows. In practice this means that attestations and material information generated in those workflows will be sent to the registered integration.
  • Web UI
  • CLI
In the workflow view, click on the integrations tab:IntegrationsWhen clicking “Attach” you’ll be presented with the list of available integrations for your organization (which were prepared in the previous step).When an integration is selected, you’ll see the list of attachment properties that can be set at the workflow level. In this case, the two Attachment Input properties we saw in the previous section. This particular integration can receive full attestation documents, SBOMs, or both.Integrations
⌘I