Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions app/cli/cmd/attestation_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ package cmd
import (
"errors"
"fmt"
"slices"
"strings"

"github.com/chainloop-dev/chainloop/app/cli/cmd/output"
"github.com/chainloop-dev/chainloop/app/cli/pkg/action"
Expand All @@ -36,6 +38,7 @@ func newAttestationInitCmd() *cobra.Command {
projectVersionRelease bool
existingVersion bool
newWorkflowcontract string
collectors []string
)

cmd := &cobra.Command{
Expand Down Expand Up @@ -74,6 +77,12 @@ func newAttestationInitCmd() *cobra.Command {
return errors.New("project version is required when using --existing-version")
}

for _, c := range collectors {
Comment thread
jiparis marked this conversation as resolved.
if !slices.Contains(action.ValidCollectors, c) {
return fmt.Errorf("unknown collector %q, valid options: %s", c, strings.Join(action.ValidCollectors, ", "))
}
}

return nil
},
RunE: func(cmd *cobra.Command, _ []string) error {
Expand Down Expand Up @@ -105,6 +114,7 @@ func newAttestationInitCmd() *cobra.Command {
NewWorkflowContractRef: newWorkflowcontract,
ProjectVersionMarkAsReleased: projectVersionRelease,
RequireExistingVersion: existingVersion,
Collectors: collectors,
})

return err
Expand Down Expand Up @@ -164,6 +174,7 @@ func newAttestationInitCmd() *cobra.Command {
cmd.Flags().StringVar(&projectVersion, "version", "", "project version, i.e 0.1.0")
cmd.Flags().BoolVar(&projectVersionRelease, "release", false, "promote the provided version as a release")
cmd.Flags().BoolVar(&existingVersion, "existing-version", false, "return an error if the version doesn't exist in the project")
cmd.Flags().StringSliceVar(&collectors, "collectors", nil, "comma-separated list of additional collectors to enable (e.g. aiconfig)")
Comment thread
jiparis marked this conversation as resolved.

return cmd
}
5 changes: 3 additions & 2 deletions app/cli/documentation/cli-reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ Options
--annotation strings additional annotation in the format of key=value
--attestation-id string Unique identifier of the in-progress attestation
-h, --help help for add
--kind string kind of the material to be recorded: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
--kind string kind of the material to be recorded: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_AI_AGENT_CONFIG" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
--name string name of the material as shown in the contract
--no-strict-validation skip strict schema validation for SBOM_CYCLONEDX_JSON materials
--registry-password string registry password, ($CHAINLOOP_REGISTRY_PASSWORD)
Expand Down Expand Up @@ -321,6 +321,7 @@ chainloop attestation init [flags]
Options

```
--collectors strings comma-separated list of additional collectors to enable (e.g. aiconfig)
--contract string name of an existing contract or the path/URL to a contract file, to attach it to the auto-created workflow (it doesn't update an existing one)
--contract-revision int revision of the contract to retrieve, "latest" by default
--dry-run do not record attestation in the control plane, useful for development
Expand Down Expand Up @@ -2932,7 +2933,7 @@ Options
--annotation strings Key-value pairs of material annotations (key=value)
-h, --help help for eval
--input stringArray Key-value pairs of policy inputs (key=value)
--kind string Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
--kind string Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_AI_AGENT_CONFIG" "CHAINLOOP_PR_INFO" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "GITLEAKS_JSON" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
--material string Path to material or attestation file
-p, --policy string Policy reference (./my-policy.yaml, https://my-domain.com/my-policy.yaml, chainloop://my-stored-policy) (default "policy.yaml")
```
Expand Down
23 changes: 19 additions & 4 deletions app/cli/pkg/action/attestation_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,11 @@ type AttestationInit struct {
connectionInsecure bool
}

const aiConfigCollectorName = "aiconfig"

// ValidCollectors is the list of known collector names accepted by --collectors.
var ValidCollectors = []string{aiConfigCollectorName}

// ErrAttestationAlreadyExist means that there is an attestation in progress
var ErrAttestationAlreadyExist = errors.New("attestation already initialized")

Expand Down Expand Up @@ -95,6 +100,8 @@ type AttestationInitRunOpts struct {
RequireExistingVersion bool
WorkflowName string
NewWorkflowContractRef string
// Collectors is a list of additional collector names to enable (e.g. "aiconfig")
Collectors []string
}

func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRunOpts) (string, error) {
Expand Down Expand Up @@ -300,11 +307,19 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
return "", err
}

// Auto-collect PR/MR metadata if in PR/MR context
if err := action.c.AutoCollectPRMetadata(ctx, attestationID, discoveredRunner, casBackend); err != nil {
action.Logger.Warn().Err(err).Msg("failed to auto-collect PR/MR metadata")
// Don't fail the init - this is best-effort
// Register and run auto-discovery collectors
// PR metadata is always collected; other collectors are opt-in via --collectors flag
collectors := []crafter.Collector{crafter.NewPRMetadataCollector(discoveredRunner)}
for _, name := range opts.Collectors {
switch name {
case aiConfigCollectorName:
collectors = append(collectors, crafter.NewAIAgentConfigCollector())
default:
action.Logger.Warn().Str("collector", name).Msg("unknown collector, skipping")
}
}
action.c.RegisterCollectors(collectors...)
action.c.RunCollectors(ctx, attestationID, casBackend)

// Evaluate attestation-level policies at init phase
attClient := pb.NewAttestationServiceClient(action.CPConnection)
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 9 additions & 4 deletions app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@ message CraftingSchema {
CHAINLOOP_PR_INFO = 26;
// Gitleaks json report https://github.com/gitleaks/gitleaks/blob/master/README.md#reporting
GITLEAKS_JSON = 27;
// AI agent configuration collected automatically during attestation
CHAINLOOP_AI_AGENT_CONFIG = 28;
Comment thread
jiparis marked this conversation as resolved.
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//
// Copyright 2024-2025 The Chainloop Authors.
// Copyright 2024-2026 The Chainloop Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -49,6 +49,7 @@ var CraftingMaterialInValidationOrder = []CraftingSchema_Material_MaterialType{
CraftingSchema_Material_ZAP_DAST_ZIP,
CraftingSchema_Material_SLSA_PROVENANCE,
CraftingSchema_Material_CHAINLOOP_RUNNER_CONTEXT,
CraftingSchema_Material_CHAINLOOP_AI_AGENT_CONFIG,

@cubic-dev-ai cubic-dev-ai Bot Mar 13, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Add tests for the new CHAINLOOP_AI_AGENT_CONFIG auto-detection path in both crafter and policy-eval flows.

(Based on your team's feedback about adding or updating tests for new paths.)

View Feedback

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At app/controlplane/api/workflowcontract/v1/crafting_schema_validations.go, line 52:

<comment>Add tests for the new `CHAINLOOP_AI_AGENT_CONFIG` auto-detection path in both crafter and policy-eval flows.

(Based on your team's feedback about adding or updating tests for new paths.) </comment>

<file context>
@@ -49,6 +49,7 @@ var CraftingMaterialInValidationOrder = []CraftingSchema_Material_MaterialType{
 	CraftingSchema_Material_ZAP_DAST_ZIP,
 	CraftingSchema_Material_SLSA_PROVENANCE,
 	CraftingSchema_Material_CHAINLOOP_RUNNER_CONTEXT,
+	CraftingSchema_Material_CHAINLOOP_AI_AGENT_CONFIG,
 	CraftingSchema_Material_ATTESTATION,
 	CraftingSchema_Material_CONTAINER_IMAGE,
</file context>
Fix with Cubic

CraftingSchema_Material_ATTESTATION,
CraftingSchema_Material_CONTAINER_IMAGE,
CraftingSchema_Material_ARTIFACT,
Expand Down
Loading
Loading