Important: A “project” is different than a “product”, as well as a “project version” is different than a “product version”.Project versions represent the version of the component while product versions represent the version of the product.
Products and project versions can evolve independently.
The goal of this view is to show you a high-level, aggregated view of your project workflows, pieces of evidence, policy evaluations and compliance score.
You can change the project version by clicking on the version name and selecting the desired version from the dropdown menu.
The display shows the percentage of total framework requirements being met. In the center, a detailed breakdown of individual requirements is provided, categorized by status with the following color codes:
- Gray: No requirement evaluations are available for the current project version.
- Green: Requirements are evaluated and passing.
- Red: Requirements are evaluated but not passing.
- Yellow: Requirements are evaluated but not all policies are passing.
- Blue: Requirements are not passing, but a team member has created an exception.
Frameworks can be associated to a project at any time by attaching them to one of its products.
Evidence Tab
The Evidence tab in the project view provides a comprehensive view of all pieces of evidence associated with a specific project version. This centralized location allows you to inspect and filter all the materials that have been collected through attestations.
Filtering Evidence
The Evidence tab supports filtering by Material Type, making it easy to focus on specific types of evidence:- Artifacts - Software artifacts, container images, Helm charts, and generic artifacts
- Provenance - Supply chain provenance and attestation data
- SBOMs - Software Bill of Materials in CycloneDX and SPDX formats
- VEX Documents - Vulnerability exploitability assessments in OpenVEX and CSAF VEX formats
- Vulnerability Reports - Vulnerability scan results in SARIF format
How to create a new Project
There are several ways of creating new Projects:- Automatically when you perform an attestation
- Through the UI in advance
- Web UI
- CLI
To create a project, Go ot the projects list and click, Create Project.

- Name: Unique name of the project in the organization. It normally matches a specific software product.
- Description: A description of what the project is about.
Project Versions
Important: A “project” is different than a “product”, as well as a “project version” is different than a “product version”.Project versions represent the version of the component while product versions represent the version of the product.
Products and project versions can evolve independently.
Attest to a specific version
During the attestation process, alongside providing theproject you can also provide a version.
For example, the following line will initialize an attestation associated with the project myproject and version v0.0.1
Command output
Command output
Promote a pre-release version
Note how the version in the previous output isv0.0.1 (prerelease). Think of prerelease as a work-in-progress version, not yet finished until an explicit release event is performed.
To release an existing pre-release version, you can do it either
- Performing another attestation but this time provide the
--releaseflag. - From the Web UI
- CLI
- Web UI
Command output
Command output
Automatically load the version
An alternative to provide the--version flag in each attestation is to use a .chainloop.yml file in your repo.
.chainloop.yml file automatically if it exists.