Chainloop is an open-source evidence store for Software Supply Chain attestations, SBOMs, VEX, SARIF, and other compliance artifacts. Correctness, security, and long-term maintainability are non-negotiable properties of the project.
This policy sets clear expectations for AI-assisted contributions. It is not an anti-AI stance — maintainers and contributors alike use AI tools in their daily workflows, and we encourage you to do the same. AI can accelerate learning, improve documentation, generate test scaffolding, and help explore design alternatives. We welcome contributors who use AI as a productivity amplifier, not as a substitute for understanding.
AI tools are welcome in the Chainloop contributor workflow. The human contributor is always accountable for every line submitted.
The following rules apply to all contributions, regardless of how they were produced:
- Own your changes. You must be able to explain every change you submit. "The AI generated it" is never an acceptable answer during review.
- Design before coding. For non-trivial changes, open a GitHub Issue with clear reasoning before a PR. PRs that ignore established patterns will be closed.
- Quality over quantity. One well-understood, well-tested PR is worth more than many AI-assisted drive-by fixes. A flood of low-effort PRs exhausts maintainer attention and delays everyone in the queue.
- Tests are required. Bug fixes need regression tests; new features need unit and integration tests. AI-generated tests that do not actually exercise the relevant behaviour will be rejected.
- Legal compliance. Chainloop is Apache 2.0 licensed.
Contributions must ensure:
- No third-party copyrighted material has been reproduced without a compatible open source license and proper attribution.
- When AI tools are used, their terms do not impose restrictions incompatible with Apache 2.0.
If AI assisted in producing any part of your contribution, disclose it in the
PR description. Add an Assisted-by: trailer to each affected commit:
Assisted-by: GitHub Copilot
Assisted-by: Claude Code
Assisted-by: ChatGPT o3
Disclosure is not a penalty — it is trust infrastructure. It preserves transparency, helps reviewers calibrate their attention, and keeps provenance clear for the project's long-term health.
- Respond personally. Do not pipe review feedback back into an AI and apply the output blindly. Responses during review must reflect genuine understanding of the code and the project's design goals.
- No AI ping-pong. If maintainers observe a pattern of AI-driven responses without real engagement, the PR will be closed without further explanation.
- Maintainers reserve the right to close any low-effort AI contribution without a detailed technical critique.
Maintainers also use AI tools: for reviewing changes, exploring implementation options, and improving documentation. The same disclosure and ownership expectations apply to maintainer-authored commits.
This policy is inspired by the go-git AI Policy, the Kubewarden AI Policy, the CloudNativePG AI Policy, and the Kyverno AI Usage Policy. It aligns with the Linux Foundation's Generative AI guidance and the CNCF community's evolving norms on sustainable AI-assisted open source development.