Quickstart
This quickstart will guide you through the process of installing the Chainloop CLI and performing your first attestation.
-
Install CLI by running:
curl -sfL https://docs.chainloop.dev/install.sh | bash -s
Refer to these instructions for more installation options.
-
Authenticate to the Control Plane:
chainloop auth login
Once logged in and will have access to any operation with the controlplane, like for example inspecting your organization
chainloop organization describe
-
Create API Token to perform the attestation process:
To perform an attestation process, you need to provide an API Token:
export CHAINLOOP_TOKEN=$(chainloop org api-token create --name test-api-token -o token)
Chainloop API Tokens are commonly used (and required) in CI/CD scenarios. Tokens have narrower permissions, ensuring that they can only perform the operations they are granted to. More information in API Tokens.
-
Perform an attestation process:
We are now ready to perform our first attestation, to learn more about its lifecyle refer to this section
We'll start with the initialization of an attestation. The attestation process requires the name of a workflow and a project to be associated with it.
Chainloop workflows represent any CI or process you might want to attest. Check this doc for a complete explanation of Workflows and Contracts. You might also want to check our contract reference.
chainloop att init --workflow mywf --project myproject
Once attestation is initiated, we can start adding materials to it. In this case we are adding an OCI container image. Many other material types are supported, check the updated the list
chainloop att add --value ghcr.io/chainloop-dev/chainloop/control-plane:latest
We just attested the latest version of the control-plane image as an example, remember that you can provide any material you want to attest by pointing to a local filepath too, like for example
chainloop att add --value my-sbom.json
infoThe piece of evidence kind were automatically detected, learn more about auto-discover here.
And finally we sign and push the attestation to Chainloop for permanent preservation.
chainloop att push
-
Operate on your data:
At this point, we've performed our first attestation, now we can just play with the Chainloop CLI to inspect the attestation, verify it and so on.
For example, to list the workflows you can run:
# List workflow runs, so then you can do `workflow run describe --name <workflow-name>` to get more details
chainloop workflow run lsfor a complete list of available options and operations refer to
chainloop --help
Great! You've successfully completed this guide. Now you are ready to dive deeper into our Getting Started guide
Good luck and have fun with Chainloop! 🚀