This quickstart will guide you through performing your first attestation.
An attestation is a signed and verifiable unit of data sent to Chainloop. It can capture metadata about any artifact or process in your Software Delivery Lifecycle. From references to source code, a reference to an artifact, a Software Bill of Materials, a Vulnerability Scan results, environment details, and more.
Install the Chainloop CLI
This guide assumes that you have access to a Chainloop Cloud account or to your own Chainloop instance of Chainloop. If you don’t, please contact us, and we’ll get back to you shortly.
Typically attestations are created by CI/CD pipelines, but in our quickstart we’ll do it locally using the Chainloop CLI.
Refer to these instructions for more installation methods.
Authenticate to the Control Plane:
Perform an attestation
We are now ready to perform our first attestation. In a nutshell, an attestation process has three steps: initialization, adding evidence, and storage. See lifecycle for more details.
Initialization
We’ll start with the initialization of an attestation. The command requires the name of a workflow, a project and optionally a contract.
We can see that the command output tell us that we should provide three materials, a container image, an SBOM, and a vulnerability report. These requirements are part of the contract that we attached during the initialization.
Add Pieces of Evidence
Once attestation is initialized, we can start adding materials to it. In this case, we are attesting the latest version of the Chainloop’s control-plane image as an example.
For a complete list of supported material types, see the material types reference.
Next we’ll attest a Software Bill Of Materials (SBOM), note that we are pointing to a remote file location, a local filepath would work too.
As you can see in the output below, the CLI has automatically 1) validated the SBOM format, 2) uploaded the file to the content addressable storage and 3) run a set of policies.
And finally, we’ll add the vulnerability report:
Sign and Store
Once we’ve gathered all the pieces of evidence, we can push the attestation for permanent storage.
Transparently, Chainloop has signed and stored the attestation.
You can now use either the CLI or the web UI to inspect the attestation, verify the signature, and learn more about the data.
You can find your attestation in the workflows section.
You can find your attestation in the workflows section.
Great! You’ve completed this guide. Now you are ready to dive deeper into our Getting Started guide.
Good luck, and have fun with Chainloop! 🚀