Connect with Chainloop at RSAC · March 23-26 · Moscone Center San Francisco · Early Stage Expo Booth
Blog >

Changelog: Connect Your Repo, Secure on Day One

Daniel Liszka
Isometric diorama of a GitHub repository block connected by glowing channels to scanning, SBOM, storage, and compliance blocks on a blueprint grid

AI is writing more code, in more repositories, than any security team can keep up with by hand. The most useful thing we can do is make getting started take zero work. That is what this release is about. You connect a GitHub repo, and Chainloop goes to work on its own. It scans the code, builds an SBOM, checks your CI for misconfigurations, looks for secrets, and starts reporting compliance. Nothing to set up first. We are also running the parts you used to run yourself, your trusted storage and your AI. Connect your repo, and you are covered.

Connect a Repo, Start Scanning

Connect a GitHub repository and Chainloop runs the security checks for you: vulnerability scanning, SBOM generation, CI misconfiguration checks, and secret scanning. All automatic, nothing to instrument.

Already have scanners you trust? Bring them. Upload results from JFrog Xray, Black Duck, GitHub, Trivy, and others, and we normalize them into one place. The point was never the scan. It is what happens next: we correlate the findings, help you prioritize by real risk, and open a remediation PR. Scan with us or scan with your own stack, the governance layer is the same.

For a security team, this is the difference between covering one repository and covering all of them. You do not wire anything up. You connect, and the coverage is there.

It is a preview today. It starts with GitHub, and GitLab and more are coming.

Repository security scanning results showing vulnerabilities, SBOM, and secret findings for a connected GitHub repository

Managed Storage, Managed AI

We want connecting a repo to be the only thing you do. So we are taking the rest off your plate, and where you need the control back, you can take it back.

Managed trusted storage. Chainloop now provisions and runs your evidence storage for you. A dedicated, isolated backend per organization, backed by AWS, with a monthly quota so usage stays predictable. No bucket, no credentials, nothing to set up before your evidence has a home. When residency and key control matter, higher tiers let you bring your own storage instead. See managed CAS.

Managed AI. You no longer need to bring your own model key to use our AI features. We run a managed AI gateway, and every call through it is tagged for governance, so you can see exactly what the AI did. Want to keep AI inside your boundary? Bring your own key, a custom Anthropic endpoint, or your own model on enterprise tiers. Your call.

Compliance from day one. Onboarding a repo creates a product, attaches default security frameworks, and starts collecting evidence in one step. You get a compliance picture from the first scan, not after a setup pass.

And if you want all of it inside your own walls, Chainloop runs on-prem.

Streamlined repository onboarding flow creating a product and attaching default compliance frameworks

Findings That Reach You

A finding is only worth something if it reaches the person who can fix it. So findings now flow into the tools your team already uses. The Linear integration shows each assessment’s linked ticket and its state inline, so you can track remediation without leaving Chainloop, and email goes out the moment a finding is created or a revision is proposed. New CLI commands let you list, inspect, and act on findings and assessments straight from your scripts and pipelines. And a new funnel view breaks findings down by severity and by resolution status, so you can see what to take next at a glance.

Vulnerability distribution funnel breaking findings down by severity and resolution status

The Home Page Shows Your Posture

Sign in and the home page opens on the state of your supply chain. Ready-made Ask Chainloop prompts, grouped by security, compliance, and governance, answer the questions you would have asked yourself. New organizations get a guided flow to connect that first repo.

Full changelog at docs.chainloop.dev/changelog.

Let’s Talk

We will be in Riga for the EBRD 2026 Annual Meeting, where I am speaking at FinTech Connect on the question I keep hearing from banks: your engineers are shipping 3 to 5x more code with AI, so do you actually know what is going into production, who built it, and whether it is safe to trust? That question is most of the reason this release exists.

After that we will be in Vienna for OWASP Global AppSec EU 2026, and we are hosting our own event around it. If you are at either, come find us.

Next, we want connecting a repo to be the only setup step there is.

Continue Reading

; ---