Quickstart
This quickstart will guide you through the process of installing the Chainloop CLI and performing your first attestation.
By default, the Chainloop CLI comes pre-configured to talk to Chainloop's platform instance, which is currently on early access. To get an account, please request access here, and we'll get back to you shortly.
Alternatively, you can run your instance of Chainloop through our labs docker-compose setup or in Kubernetes following this guide.
-
Install CLI by running:
curl -sfL https://docs.chainloop.dev/install.sh | bash -s
Refer to these instructions for more installation options.
-
Authenticate to the Control Plane:
chainloop auth login
Once logged in, your next step would be to create a Chainloop organization. Think of organizations as workspaces or namespaces. To create an organization with a random suffix, run:
chainloop organization create --name quickstart-$((RANDOM % 90000 + 10000))
# INF Organization "quickstart-10122" created! -
Create API Token to perform the attestation process:
To perform an attestation process, you need to provide an API Token:
export CHAINLOOP_TOKEN=$(chainloop org api-token create --name test-api-token -o token)
Chainloop API Tokens are commonly used (and required) in CI/CD scenarios. Tokens have narrower permissions, ensuring that they can only perform the operations they are granted to. More information in API Tokens.
-
Perform an attestation process:
We are now ready to perform our first attestation, to learn more about its lifecyle refer to this section
We'll start with the initialization of an attestation. The attestation process requires the name of a workflow and a project to be associated with it.
Chainloop workflows represent any CI or process you might want to attest. Check this doc for a complete explanation of Workflows and Contracts. You might also want to check our contract reference.
We can check what kind materials the contract expects by checking the output of
attestation init
command:chainloop att init --workflow mywf --project myproject --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/quickstart-contract.yaml
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────────────┬──────────────────────────────────────────────────────────────────────────────────┐
│ Initialized At │ 27 Feb 25 13:26 UTC │
├───────────────────────────┼─────── ───────────────────────────────────────────────────────────────────────────┤
│ Attestation ID │ 64ae145e-5424-4f67-8dee-ae42dccfb6e4 │
│ Organization │ quickstart-10122 │
│ Name │ mywf │
│ Project │ myproject │
│ Version │ v0.175.0 (prerelease) │
│ Contract │ quickstart-contract (revision 1) │
│ Policy violation strategy │ ADVISORY │
│ Policies │ ------ │
│ │ containers-with-sbom: skipped - there are no container images in the attestation │
│ │ sbom-present: missing SBOM material │
└───────────────────────────┴──────────────────────────────────────────────────────────────────────────────────┘
┌───────────────────────────────────┐
│ Materials │
├──────────┬────────────────────────┤
│ Name │ container │