README
¶
GUAC integration
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.
This integration allows Chainloop users to automatically send attestation (DSSE envelopes / in-toto statements) and CycloneDX/SPDX Software Bill Of Materials (SBOMs) to a cloud storage bucket staging area. From there, GUAC can be configured to continuously monitor and inject that data. Compatible with Guac v0.1.0 beta or newer.
How to use it
Currently, this integration only supports Google Cloud Storage (GCS) as a storage provider with more to come in the future. If you are interested in a specific provider, please let us know
Chainloop setup
Using Google Cloud Platform
Prerequisites
- A Google Cloud Platform (GCP) account
- A GCP project with a GCS bucket
- A GCP service account with write access to the bucket. See Creating and managing service accounts for more information.
- Once create, download the service account JSON credentials file
Registration
To get started, you need to register the plugin in your Chainloop organization.
$ chainloop integration registered add guac --opt bucket=[my-bucket-name] --opt credentials=[credentials-content] --opt provider=gcs
# Example
$ chainloop integration registered add guac --opt bucket=test-guac --opt credentials="$(cat ./service-account-devel.json)" --opt provider=gcs
Attachment
Then, in order to use the integration, you need to attach it to a workflow by providing the IDs of the workflow and integration you just registered.
$ chainloop integration attached add --workflow $WID --integration $ID
That's all on the Chainloop side. Now all new attestation and SBOM metadata files will get uploaded to Google Cloud Storage.
GUAC setup
Refer to https://github.com/guacsec/guac documentation to learn how to setup GUAC to import from a GCS-based collector.
Registration Input Schema
| Field | Type | Required | Description |
|---|---|---|---|
| bucket | string | yes | Bucket name where to store the artifacts |
| credentials | string | yes | Credentials to access the bucket |
| provider | string | no | Blob storage provider: default gcs |
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/chainloop-dev/chainloop/app/controlplane/plugins/core/guac/v1/registration-request",
"properties": {
"provider": {
"type": "string",
"enum": [
"gcs"
],
"minLength": 1,
"description": "Blob storage provider: default gcs"
},
"bucket": {
"type": "string",
"minLength": 1,
"description": "Bucket name where to store the artifacts"
},
"credentials": {
"type": "string",
"minLength": 2,
"description": "Credentials to access the bucket"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"bucket",
"credentials"
]
}
Documentation
¶
Index ¶
- func New(l log.Logger) (sdk.FanOut, error)
- type Integration
- func (i *Integration) Attach(_ context.Context, _ *sdk.AttachmentRequest) (*sdk.AttachmentResponse, error)
- func (i *Integration) Execute(ctx context.Context, req *sdk.ExecutionRequest) error
- func (i *Integration) Register(ctx context.Context, req *sdk.RegistrationRequest) (*sdk.RegistrationResponse, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Integration ¶
type Integration struct {
*sdk.FanOutIntegration
}
Integration implements of a FanOut integration See https://github.com/chainloop-dev/chainloop/blob/main/app/controlplane/plugins/README.md for more information
func (*Integration) Attach ¶
func (i *Integration) Attach(_ context.Context, _ *sdk.AttachmentRequest) (*sdk.AttachmentResponse, error)
Attachment is executed when to attach a registered instance of this integration to a specific workflow
Source Files