This quickstart will guide you through performing your first attestation.

An attestation is a signed and verifiable unit of data sent to Chainloop. It can capture metadata about any artifact or process in your Software Delivery Lifecycle. From references to source code, a reference to an artifact, a Software Bill of Materials, a Vulnerability Scan results, environment details, and more.

Install the Chainloop CLI

This guide assumes that you have access to a Chainloop Cloud account or to your own Chainloop instance of Chainloop. If you don’t, please contact us, and we’ll get back to you shortly.

Typically attestations are created by CI/CD pipelines, but in our quickstart we’ll do it locally using the Chainloop CLI.

curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s

Refer to these instructions for more installation methods.

Authenticate to the Control Plane:

chainloop auth login

Perform an attestation

We are now ready to perform our first attestation. In a nutshell, an attestation process has three steps: initialization, adding evidence, and storage. See lifecycle for more details.

Initialization

We’ll start with the initialization of an attestation. The command requires the name of a workflow, a project and optionally a contract.

chainloop att init \
  --workflow mywf \
  --project myproject \
  --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/quickstart-contract.yaml

We can see that the command output tell us that we should provide three materials, a container image, an SBOM, and a vulnerability report. These requirements are part of the contract that we attached during the initialization.

Add Pieces of Evidence

Once attestation is initialized, we can start adding materials to it. In this case, we are attesting the latest version of the Chainloop’s control-plane image as an example.

For a complete list of supported material types, see the material types reference.

chainloop att add --name container --value ghcr.io/chainloop-dev/chainloop/control-plane

Next we’ll attest a Software Bill Of Materials (SBOM), note that we are pointing to a remote file location, a local filepath would work too.

chainloop att add --name sbom --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/sbom.json

As you can see in the output below, the CLI has automatically 1) validated the SBOM format, 2) uploaded the file to the content addressable storage and 3) run a set of policies.

And finally, we’ll add the vulnerability report:

chainloop att add --name vulnerabilities-report --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/vulnerability-report.json

Sign and Store

Once we’ve gathered all the pieces of evidence, we can push the attestation for permanent storage.

chainloop att push

Transparently, Chainloop has signed and stored the attestation.

You can now use either the CLI or the web UI to inspect the attestation, verify the signature, and learn more about the data.

You can find your attestation in the workflows section.

Great! You’ve completed this guide. Now you are ready to dive deeper into our Getting Started guide.

Good luck, and have fun with Chainloop! 🚀