> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chainloop.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Policies expectations

In the previous step, we created a contract that set the expectation of a container image, an SBOM and a vulnerability report. Our Compliance team now wants to verify that those comply with the company's security and compliance criteria.

We introduce [Policies](/concepts/policies), which are rules evaluated against materials and/or the whole attestation document. Policies can be grouped into [Policy Groups](/concepts/policy-groups) to be able to attach a set of policies to a workflow contract.

## Attaching policies to the contract

<Tabs>
  <Tab title="Web UI">
    As we did before, let's ["Update our contract"](https://app.chainloop.dev/contracts/myproject-build-container-image/update), but this time the contract will contain policies and policy groups.

    <img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/get-started/img/adding-policies-1.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=a6ec7397b5bd8b560831b486034a489f" alt="info" width="961" height="715" data-path="get-started/img/adding-policies-1.png" />

    ```yaml theme={"dark"}
    apiVersion: chainloop.dev/v1
    kind: Contract
    metadata:
      name: myproject-build-container-image
    spec:
      materials:
        - name: container
          type: CONTAINER_IMAGE
        - name: sbom
          type: SBOM_CYCLONEDX_JSON
        - name: vulnerabilities-report
          type: SARIF
      # We can attach policies from the provided library of policies https://app.chainloop.dev/policies
      # or custom ones as explained here https://docs.chainloop.dev/concepts/policies
      policies:
        materials:
          # artifact-signed checks that all OCI artifacts such as Container Images and Charts are signed
          - ref: artifact-signed
          # Make sure we are not using latest in the container image
          - ref: artifact-tag-not-latest
      # alternatively to policies you can apply policy groups
      # https://docs.chainloop.dev/concepts/policy-groups#policy-groups
      policyGroups:
        - ref: slsa-checks
        - ref: vulnerability-management
        - ref: sbom-quality
          with:
            bannedComponents: log4j@2.14.1
            bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
    ```
  </Tab>

  <Tab title="CLI">
    ```bash theme={"dark"}
    chainloop wf contract update --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/contract-with-policies.yaml
    ```
  </Tab>

  <Tab title="Chainloop OSS">
    Use this command to create a contract from a remote location:

    ```bash theme={"dark"}
    chainloop wf contract create --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/contract-with-policies-oss.yaml
    ```
  </Tab>
</Tabs>

In this contract, we added two [policies](/concepts/policies) and three [policy groups](/concepts/policy-groups).

* `artifact-signed` policy checks that all OCI artifacts (container images and Helm Charts) are properly signed with Cosign or Notary
* `artifact-tag-not-latest` checks that the container image is not using the `latest` tag
* `slsa-checks` is a policy group that makes sure the attestation is compliant with the SLSA framework
* `vulnerability-management` is a policy group that makes sure the attestation is compliant with the vulnerability management policy
* `sbom-quality` is a policy group that makes sure the attestation is compliant with the SBOM quality policy

Chainloop comes with a set of built-in policies and policy groups, you can see them all in the ["Policies library"](https://app.chainloop.dev/policies).

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/get-started/img/adding-policies-2.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=8b0a2c20509fedabe22c76f695a09e4d" alt="info" width="2960" height="1966" data-path="get-started/img/adding-policies-2.png" />

<Tip>
  You can also create custom policies tailored to your needs. For more information about authoring policies, see this [guide](/guides/custom-policies).
</Tip>

## Evaluating policies

Let's create an attestation and add our materials to see how policies are evaluated:

<Steps>
  <Step title="Initialize an attestation">
    ```bash theme={"dark"}
    chainloop att init --workflow build-container-image --project myproject --replace
    ```
  </Step>

  <Step title="Add the container image">
    ```bash theme={"dark"}
    chainloop att add --name container --value ghcr.io/chainloop-dev/chainloop/control-plane
    ```

    You'll notice how Chainloop will evaluate automatically as part of providing the container image.
  </Step>

  <Step title="Add the SBOM">
    ```bash theme={"dark"}
    chainloop att add --name sbom --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/sbom.json
    ```
  </Step>

  <Step title="Add the vulnerability report">
    ```bash theme={"dark"}
    chainloop att add --name vulnerabilities-report --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/vulnerability-report.json
    ```
  </Step>

  <Step title="Push the attestation">
    ```bash theme={"dark"}
    chainloop att push
    ```

    <img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/get-started/img/adding-policies-push.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=6f0649e88305299e6511dbcfc32e9900" alt="info" width="1127" height="1003" data-path="get-started/img/adding-policies-push.png" />
  </Step>
</Steps>

We can see in the output that the policies have been evaluated and the only ones failing are:

* the ones related to the build-environment, since we are running the attestation process locally.
* the one that checks the container image is not using the `latest` tag.

You can give it a try and attach an old SBOM or Vulnerability report with vulnerabilities to see how the policies being evaluated and failing.

## Inspecting policy evaluations

Now, the Chainloop platform gives us more insights into the status of the attestation. If we go to the [workflow run](https://app.chainloop.dev/workflow-runs) view, besides the usual attestation and material information, we can now see the result of those policy evaluations.

<img src="https://mintcdn.com/chainloop/4m_Z_ZeRnSV7jb7V/get-started/img/adding-policies-3.png?fit=max&auto=format&n=4m_Z_ZeRnSV7jb7V&q=85&s=49e3c77d52a8945802a4a55f047f1873" alt="info" width="1805" height="1324" data-path="get-started/img/adding-policies-3.png" />