Chalk runs in your build pipeline to inject a tiny piece of metadata called a ‘chalk mark’ into every software artifact you create or use. Think source code, containers and binaries. Chalk then collects detailed information called a ‘chalk report’ each time a build or a new artifact is created, and associates that information with the chalk mark so you know what has happened, what has changed and where the changes have taken place.

Chalk Marks and Reports

The metadata written into a single artifact is called the chalk mark. Chalk marks are JSON objects. Chalk can also generate chalk reports, separate from the artifact that can contain raw data collected. These reports, also JSON, can be generated at the time of chalking, but they can also be generated at any point after a chalk mark is added, such as on extraction or execution operations.

Insertions and Build Wrapping

Chalk insertion operates in two modes, stand-alone insertion, when the chalk mark is added after the artifact has been built, and build wrapping, where chalk wraps the command that builds the artifact, adding a chalk mark into the artifact at build time.

You can currently insert chalk marks into ELF executables, container images, JAR, WAR and EAR files, ZIP files, byte-compiled Python and MacOS executables.


Chalk can report the presence of chalk marks and perform full extraction of the chalk marks themselves, so you choose what to see and where to send the data. You can extract a chalk mark from a single binary or from a container.

Executing Processes

Chalk supports a ‘chalk exec’ operation where it will run your process, as well as report on that process and the host environment. Using this, you can orchestrate additional analysis and collection tools, and report on the runtime environment.


Chalk ships with a large set of metadata that you can organize using templates.

Chalk metadata falls into four categories:

  • Chalk-time artifact metadata, which is data specific to a software artifact, collected when inserting chalk marks.
  • Chalk-time host metadata, which is data about the environment in which chalk ran in when inserting chalk marks.
  • Run-time artifact metadata, which is data about software artifacts that can be collected on any invocation of chalk.
  • Run-time host metadata, which is data about the host, captured on any invocation of chalk.

You can also easily create your own custom keys.

Learn More

You can find more information including the full technical documentation on our docs site.

Chalk vs. Platform


Chalk Open source

Platform (Early access)

Open Source

Free forever

Free while in Early Access

Works with any CI/CD and build system

Commercially Supported

Integrates with GitHub

Integrates with GitLab

Integrates with AWS

Web portal

Team workspaces

Single Sign On / SAML

Join our early access program now. Available to qualified companies.