Chalk, the Open-Source Software Provenance Engine, Reaches General Availability
Chalk embeds provenance into software artifacts so teams can answer the questions that matter. Visit the Crash Override booth at KubeCon EU to see it live.
NEW YORK, NY, UNITED STATES, March 25, 2026 /EINPresswire.com/ -- Chalk, the open-source software provenance and attestation engine from Crash Override, today reached general availability. Chalk drops into existing CI/CD pipelines with five lines of YAML and embeds cryptographically signed context - commit hash, dependencies, build environment, scan results - directly into containers, binaries, JARs, and scripts at build time. Those artifacts then beacon back from production, giving teams continuous visibility into what’s deployed without adding another tool to maintain.Already proven at scale in Fortune 50 environments, this GA release marks Chalk’s transition from battle-tested internal tooling to a production-ready release available to every engineering team. It requires no agents, no platform migration, and is fail-open by design. It will never break a build.
The GA release will be showcased at the Crash Override booth at KubeCon + CloudNativeCon Europe 2026 in Amsterdam on Tuesday, March 24 through Thursday, March 26.
The Problem Chalk Solves
Every engineering team runs into the same gap. A CVE drops on a Friday, a customer escalation comes in, or PagerDuty fires at 2am - and the first 40 minutes are spent correlating across disconnected tools just to figure out what’s actually running. Build systems, registries, deployment tools, and observability platforms all function independently, but none share context. What happens in the build system stays in the build system.
Chalk closes that gap by making the artifact carry its own provenance. Instead of reconstructing context after the fact from six different systems, Chalk embeds it at the source, at build time, so it’s there when you need it, wherever the artifact ends up.
How Chalk Works: Tag, Ship, Track
Tag. Add Chalk to a CI pipeline. At build time, Chalk performs deep inspection of every artifact layer and embeds a cryptographically signed beacon - commit hash, author, branch, dependencies, build environment, scan results - directly into the artifact itself.
Ship. Developers ship as usual. Provenance travels with the artifact through the registry, scanning, and deployment. SBOM generation and Sigstore-based signing happen automatically - no changes to build scripts or workflows.
Track. In production, chalked artifacts beacon back with runtime telemetry - heartbeats, process metadata, network connections. Query via APIs, trigger webhooks, or expose data through MCP for AI agents. The 40-minute diagnosis becomes seconds.
What’s in the GA Release
Deep Build Inspection. Chalk runs inside the build, inspecting every layer of every artifact - containers, binaries, dependencies, configurations.
Embedded Provenance. Chalk marks - tamperproof identifiers carrying full build context - are embedded directly into artifacts. The artifact carries its own provenance, permanently.
Automatic SBOM Generation and Signing. SBOMs are generated at build time. Sigstore-based signing is built in - run chalk setup and every subsequent operation signs and validates automatically.
Runtime Beaconing. Chalk’s exec mode wraps application entry points to collect runtime telemetry - heartbeats, process metadata, network connections—providing continuous visibility into what is actually deployed.
Flexible Data Routing. Send provenance data to local files, REST APIs, S3 buckets - wherever it fits your existing infrastructure.
MCP Server Integration. A new MCP server makes Chalk’s provenance data queryable through conversational AI interfaces, enabling teams to ask natural-language questions about their software portfolio.
Fail-Open by Design. Chalk will never break a build. If it encounters an issue, the pipeline continues. Minimal overhead, zero disruption.
“Chalk was designed around one principle: give engineers value, not work,” said John Viega, inventor of AES-GCM encryption and co-founder of Crash Override. “With this release, a team can go from zero to full build-to-runtime provenance in minutes - without stitching together half a dozen tools or changing a single line of their build process.”
Overhauled Documentation
The GA release is accompanied by a comprehensive documentation overhaul. The Chalk team has restructured the docs from the ground up with a streamlined quickstart guide that takes users from installation to their first chalk mark in minutes, rewritten guides for exec monitoring and heartbeat telemetry with practical examples, improved coverage of signing and attestation workflows, and a clearer information architecture overall. The goal is for someone to go from discovering Chalk to seeing real provenance data in under five minutes.
See Chalk at KubeCon EU 2026
The Crash Override team will be demonstrating Chalk at KubeCon + CloudNativeCon Europe 2026 in London on Tuesday, March 24. Stop by the booth to see Chalk mark containers and binaries live in a CI/CD pipeline, query provenance data across a real software portfolio, and go from zero to working provenance in minutes. The team will also be previewing Chalk’s MCP server integration and showing how Chalk fits into the broader Crash Override platform for organizations that need enterprise-grade policy, visibility, and compliance capabilities on top of the open-source engine.
Get Started
Chalk is free, open source (GPL-3.0), and ready to try today. Five lines of YAML. No agents. No platform migration.
GitHub: https://github.com/crashappsec/chalk
Documentation: https://chalkproject.io/docs
Quick Install: curl -fsSL https://chalkproject.io/install.sh | bash
Mike Flouton
Crash Override
email us here
Visit us on social media:
LinkedIn
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
