Skip to main content
This quickstart will guide you through performing your first attestation. An attestation is a signed and verifiable unit of data sent to Chainloop. It can capture metadata about any artifact or process in your Software Delivery Lifecycle. From references to source code, a reference to an artifact, a Software Bill of Materials, a Vulnerability Scan results, environment details, and more.

Install the Chainloop CLI

This guide assumes that you have access to a Chainloop Cloud account or to your own self-hosted Chainloop instance. If you don’t, please contact us, and we’ll get back to you shortly.
Typically attestations are created by CI/CD pipelines, but in our quickstart we’ll do it locally using the Chainloop CLI.
The install script comes pre-configured for Chainloop Cloud.
you can install a specific version with
and customize the install path (defaults to /usr/local/bin)
To install without sudo, provide a user-accessible path:
if cosign is present in your system, in addition to the checksum check, a signature verification will be performed. This behavior can be enforced via the —force-verification flag.
To install the open-source edition instead:
Authenticate to the Control Plane:

Perform an attestation

We are now ready to perform our first attestation. In a nutshell, an attestation process has three steps: initialization, adding evidence, and storage. See lifecycle for more details.

Initialization

We’ll start with the initialization of an attestation. The command requires the name of a workflow, a project and optionally a contract. Copy the command that suits your environment:
attestation init We can see that the command output tell us that we should provide three materials, a container image, an SBOM, and a vulnerability report. These requirements are part of the contract that we attached during the initialization.

Add Pieces of Evidence

Once attestation is initialized, we can start adding materials to it. In this case, we are attesting the latest version of the Chainloop’s control-plane image as an example.
For a complete list of supported material types, see the material types reference.
Next we’ll attest a Software Bill Of Materials (SBOM), note that we are pointing to a remote file location, a local filepath would work too.
As you can see in the output below, the CLI has automatically 1) validated the SBOM format, 2) uploaded the file to the content addressable storage and 3) run a set of policies. attestation add sbom And finally, we’ll add the vulnerability report:

Sign and Store

Once we’ve gathered all the pieces of evidence, we can push the attestation for permanent storage.
Transparently, Chainloop has signed and stored the attestation. You can now use either the CLI or the web UI to inspect the attestation, verify the signature, and learn more about the data.
You can find your attestation in the workflows section.
Great! You’ve completed this guide. Now you are ready to dive deeper into our Getting Started guide. Good luck, and have fun with Chainloop! 🚀