> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chainloop.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Quickstart

This quickstart will guide you through performing your first attestation.

An [attestation](/concepts/attestations) is a **signed and verifiable unit of data** sent to Chainloop. It can capture metadata about any artifact or process in your Software Delivery Lifecycle. From references to source code, a reference to an artifact, a Software Bill of Materials, a Vulnerability Scan results, environment details, and [more](/concepts/material-types).

## Install the Chainloop CLI

<Warning>
  This guide assumes that you have access to a [Chainloop Cloud](https://app.chainloop.dev/) account or to your own Chainloop instance of Chainloop. If you don't, please [contact us](https://app.chainloop.dev/request-access), and we'll get back to you shortly.
</Warning>

Typically attestations are created by CI/CD pipelines, but in our quickstart we'll do it locally using the Chainloop CLI.

```bash theme={"dark"}
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
```

<Tip>
  Refer to [these instructions](/get-started/setup#install-the-chainloop-command-line-interface-cli) for more installation methods.
</Tip>

Authenticate to the Control Plane:

```bash theme={"dark"}
chainloop auth login
```

## Perform an attestation

We are now ready to perform our first attestation. In a nutshell, an attestation process has three steps: initialization, adding evidence, and storage. See [lifecycle](/concepts/attestations#attestation-lifecycle) for more details.

#### Initialization

We'll start with the [initialization](/concepts/attestations#attestation-init) of an attestation. The command requires the name of a [workflow](/concepts/workflows), a [project](/concepts/projects-versions) and optionally a [contract](/concepts/contracts).
Copy the command that suits your environment:

<Tabs>
  <Tab title="Chainloop Platform">
    ```bash theme={"dark"}
    chainloop att init \
      --workflow mywf \
      --project myproject \
      --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/quickstart-contract.yaml
    ```
  </Tab>

  <Tab title="Chainloop OSS">
    ```bash theme={"dark"}
    chainloop att init \
      --workflow mywf \
      --project myproject \
      --contract https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/quickstart-contract-oss.yaml
    ```
  </Tab>
</Tabs>

<img src="https://mintcdn.com/chainloop/xJ5hNAgMrS6U1u_m/img/quickstart-1.png?fit=max&auto=format&n=xJ5hNAgMrS6U1u_m&q=85&s=4cf911b7ba4e508387d151133ea182af" alt="attestation init" width="915" height="651" data-path="img/quickstart-1.png" />

We can see that the command output tell us that we should provide three materials, a container image, an SBOM, and a vulnerability report. These requirements are part of the [contract](/concepts/contracts) that we attached during the initialization.

#### Add Pieces of Evidence

Once attestation is initialized, we can start adding materials to it. In this case, we are attesting the latest version of the Chainloop's control-plane image as an example.

<Tip>
  For a complete list of supported material types, see the [material types](/concepts/material-types) reference.
</Tip>

```bash theme={"dark"}
chainloop att add --name container --value ghcr.io/chainloop-dev/chainloop/control-plane
```

Next we'll attest a Software Bill Of Materials (SBOM), note that we are pointing to a remote file location, a local filepath would work too.

```bash theme={"dark"}
chainloop att add --name sbom --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/sbom.json
```

As you can see in the output below, the CLI has automatically 1) validated the SBOM format, 2) uploaded the file to the [content addressable storage](/concepts/cas-backend) and 3) run a set of [policies](/concepts/policies).

<img src="https://mintcdn.com/chainloop/xJ5hNAgMrS6U1u_m/img/quickstart-2.png?fit=max&auto=format&n=xJ5hNAgMrS6U1u_m&q=85&s=25982cc4ebf2d7793808422d4e6066ac" alt="attestation add sbom" width="1074" height="510" data-path="img/quickstart-2.png" />

And finally, we'll add the vulnerability report:

```bash theme={"dark"}
chainloop att add --name vulnerabilities-report --value https://raw.githubusercontent.com/chainloop-dev/chainloop/refs/heads/main/docs/examples/quickstart/vulnerability-report.json
```

#### Sign and Store

Once we've gathered all the pieces of evidence, we can [push the attestation](concepts/attestations#attestation-push) for permanent storage.

```bash theme={"dark"}
chainloop att push
```

Transparently, Chainloop has [signed](/reference/signing) and stored the attestation.

You can now use either the CLI or the web UI to inspect the attestation, verify the signature, and learn more about the data.

<Tabs>
  <Tab title="Web UI">
    You can find your attestation in the [workflows](https://app.chainloop.dev/workflows) section.

    <img src="https://mintcdn.com/chainloop/xJ5hNAgMrS6U1u_m/img/quickstart-3.png?fit=max&auto=format&n=xJ5hNAgMrS6U1u_m&q=85&s=d37afa49028f200208c3c3e9e8b4e8a8" alt="" width="2332" height="1444" data-path="img/quickstart-3.png" />
  </Tab>

  <Tab title="CLI">
    ```bash theme={"dark"}
    # List workflow runs (attestations)
    chainloop workflow run ls
    # Get information about a specific run
    chainloop workflow run describe --id [runID]
    # Get the raw output of an attestation
    chainloop workflow run get --id [runID] --output attestation
    ```
  </Tab>
</Tabs>

Great! You've completed this guide. Now you are ready to dive deeper into our [Getting Started](/get-started) guide.

Good luck, and have fun with Chainloop! 🚀