So far we have performed attestations, attached pieces of evidence, evaluated policies and store the result in Chainloop. In this section, we’ll show you how you can see the compliance posture of your whole project with the use of project versions and compliance frameworks. If you remember, during the attestation process you have been providing the --project flag with the value myproject, so let’s inspect it in the project view. info The goal of this view is to show you a high-level, aggregated view of your project workflows, pieces of evidence, policy evaluations and compliance score. You can learn more about the project view in this guide.

Attach Compliance Frameworks

At the bottom of the page, you can see the list of compliance frameworks attached to the project, in our case we have none, let’s attach the SLSA and chainloop-best-practices frameworks, to do so, click on “Assign Frameworks” and select the frameworks you want to attach. Once done, you should be able to see the list of requirements automatically fulfilled by your workflows. info and you can drill down to see the details of each requirement in the frameworks tab. info

Manage Versions

As you can see at the top left, there is a version selector with the none value for now. Chainloop allows you to create versions of your project, so all the compliance data can be aggregated by version. To learn more about versions, check this guide. Let’s try to perform the same attestation than before but this time providing the --version flag with the value 1.0.0. 
chainloop att init --workflow build-container-image --project myproject --version 1.0.0 --replace
# Provide materials
chainloop att add --name container --value ghcr.io/chainloop-dev/chainloop/control-plane
chainloop att add --name sbom --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/sbom.json
chainloop att add --name vulnerabilities-report --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/vulnerability-report.json

# Sign and push
chainloop att push
You now have the version 1.0.0 in the selector up top info

Aggregate data

As mentioned before the goal of this view is to show you a high-level, aggregated view of your project workflows, pieces of evidence, policy evaluations and compliance score for each version. So let’s try to perform another attestation but this time from another workflow 
chainloop att init --workflow build-another-service --project myproject --version 1.0.0 --replace

# We can push already since it has an empty contract
chainloop att push
Now you should be able to see the new workflow in the project view and any policy, and metadata evaluations aggregated by version. info