> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chainloop.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# Set Metadata expectations
In the previous step, we performed an attestation process that contained two pieces of evidence, but **none of those were required**. Now, our Security and Compliance team wants to force us to always provide those pieces of evidence, this is achieved through the definition of [contracts](/concepts/contracts).
A contract is the interface between development pipelines and the requirements defined by the Security and Compliance teams in the Chainloop Service. It defines the pieces of evidence that are expected to be received as part of the attestation process, as well as some additional constraints, like the type of source (Github, Dagger …, etc.) and the policies that must be evaluated.
See our [Contracts](/concepts/contracts) reference for more information.
## Update the contract
Each workflow has attached an empty contract by default, let's update it to require a container image, an SBOM and a vulnerability report.
Click on ["Update Contract"](https://app.chainloop.dev/contracts/myproject-build-container-image/update), and change the contract schema to the following:
```yaml theme={"dark"}
apiVersion: chainloop.dev/v1
kind: Contract
metadata:
name: myproject-build-container-image
spec:
materials:
- name: container
type: CONTAINER_IMAGE
- name: sbom
type: SBOM_CYCLONEDX_JSON
- name: vulnerabilities-report
type: SARIF
```
```bash theme={"dark"}
chainloop wf contract update --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/contract-only-materials.yaml
```
## Initialize an Attestation process
Let's perform another attestation, but note how this time the requirements have changed
```bash theme={"dark"}
chainloop att init --workflow build-container-image --project myproject --replace
```
```bash theme={"dark"}
┌───────────────────────────┬──────────────────────────────────────────────┐
│ Initialized At │ 13 May 25 09:52 UTC │
├───────────────────────────┼──────────────────────────────────────────────┤
│ Attestation ID │ ce0a4e64-cdde-477a-8141-70cd3c198cf4 │
│ Organization │ gs-demo │
│ Name │ build-container-image │
│ Project │ myproject │
│ Version │ none │
│ Contract │ myproject-build-container-image (revision 2) │
│ Timestamp Authority │ http://timestamp.digicert.com │
│ Policy violation strategy │ ADVISORY │
└───────────────────────────┴──────────────────────────────────────────────┘
┌───────────────────────────────────┐
│ Materials │
├──────────┬────────────────────────┤
│ Name │ container │
│ Type │ CONTAINER_IMAGE │
│ Set │ No │
│ Required │ Yes │
├──────────┼────────────────────────┤
│ Name │ sbom │
│ Type │ SBOM_CYCLONEDX_JSON │
│ Set │ No │
│ Required │ Yes │
├──────────┼────────────────────────┤
│ Name │ vulnerabilities-report │
│ Type │ SARIF │
│ Set │ No │
│ Required │ Yes │
└──────────┴────────────────────────┘
```
Alternatively, you can create the contract on the fly during the attestation process. To do so, you can provide the reference to a remote, or local yaml file containing the contract definition.
```bash theme={"dark"}
chainloop att init --workflow build-container-image --project myproject --replace
```
## Adding materials and pushing the attestation.
Note that the `attestation init` command output this time includes a section indicating that a `CONTAINER_IMAGE` is required alongside with `SBOM_CYCLONEDX_JSON` and `SARIF`.
What would happen if we try to push without adding any material?
```bash theme={"dark"}
chainloop att push
ERR some materials have not been crafted yet: container, sbom, vulnerabilities-report
```
We can see that Chainloop expects us, according to the contract, to provide at least the container image reference, and, optionally, its SBOM. Let's add them:
```bash theme={"dark"}
chainloop att add --name container --value ghcr.io/chainloop-dev/chainloop/control-plane
```
```bash theme={"dark"}
INF material added to attestation
┌──────────┬─────────────────────────────────────────────────────────────────────────┐
│ Name │ container │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Type │ CONTAINER_IMAGE │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Required │ Yes │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Value │ ghcr.io/chainloop-dev/chainloop/control-plane:latest │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Digest │ sha256:1872ea6f4758de022e127de8b8062db2937195e2ebb30fef6af2271b156f5cd7 │
└──────────┴─────────────────────────────────────────────────────────────────────────┘
```
Note that we have specified `--name container`, since that's the material name that the contract expects. You can learn more about the adding materials process in the [Adding Materials](/concepts/attestations#attestation-add) section.
Now the Software Bill of Materials:
```bash theme={"dark"}
chainloop att add --name sbom --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/sbom.json
```
```bash theme={"dark"}
┌──────────┬─────────────────────────────────────────────────────────────────────────┐
│ Name │ sbom │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Type │ SBOM_CYCLONEDX_JSON │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Required │ No │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Value │ sbom.json │
├──────────┼─────────────────────────────────────────────────────────────────────────┤
│ Digest │ sha256:f2888d10bcd93dc58431049a13acac1bc402231fb066e9e58fd986d91dec05f1 │
└──────────┴─────────────────────────────────────────────────────────────────────────┘
```
And finally a vulnerability report created by grype in SARIF format
```bash theme={"dark"}
chainloop att add --name vulnerabilities-report --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/vulnerability-report.json
```
```bash theme={"dark"}
┌─────────────┬─────────────────────────────────────────────────────────────────────────┐
│ Name │ vulnerabilities-report │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Type │ SARIF │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Required │ Yes │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Value │ vulnerability-report.json │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Digest │ sha256:ae9eda73fb0637921f052d65b719772a580eb8fd68c1bd6130ccdb67200e6c7a │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ Annotations │ ------ │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ │ chainloop.material.tool.name: grype │
├─────────────┼─────────────────────────────────────────────────────────────────────────┤
│ │ chainloop.material.tool.version: 0.87.0 │
└─────────────┴─────────────────────────────────────────────────────────────────────────┘
```
And now we can push the attestation:
```bash theme={"dark"}
chainloop att push
```
As before, we can see the details of our attestation in [Chainloop Platform](https://app.chainloop.dev/workflow-runs):
```bash theme={"dark"}
chainloop workflow run describe --id [my-wf-run-id]
```
We have successfully created an attestation that matches the contract's expectations.
## Next steps
In the next step, we'll learn how to run additional policies on the provided metadata