chainloop
Chainloop is an open source project that allows you to collect, attest, and distribute pieces of evidence from your Software Supply Chain.
Installation
dagger install github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4dbEntrypoint
Return Type
Chainloop !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| enterprise | Boolean | - | Use the enterprise CLI image (ghcr.io/chainloop-dev/platform/cli) |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
func (m *MyModule) Example() *dagger.Chainloop {
return dag.
Chainloop()
}@function
def example() -> dagger.Chainloop:
return (
dag.chainloop()
)@func()
example(): Chainloop {
return dag
.chainloop()
}Types
Chainloop 🔗
init() 🔗
Initialize a new attestation
Return Type
Attestation !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| token | Secret ! | - | Chainloop API token |
| contractRevision | String | - | Workflow Contract revision, default is the latest |
| repository | Directory | - | Path to the source repository to be attested |
| workflowName | String ! | - | Workflow name to be used for the attestation |
| projectName | String ! | - | Project name to be used for the attestation |
| contractName | String | - | name of an existing contract to attach it to the auto-created workflow |
| projectVersion | String | - | Version of the project to be used for the attestation |
| release | Boolean | - | mark the version as release |
| markLatest | Enum | "ON_CREATE" | Control whether this project version is promoted to “latest”. ON_CREATE (default): new versions become latest, existing ones are untouched. TRUE: force-promote a pre-release version. FALSE: skip promotion entirely. |
| githubEventFile | File | - | Github event file for PR detection (when running in Github Actions) |
| githubRepository | String | - | Github repository name (owner/repo) |
| githubRunId | String | - | Github run ID for the workflow run |
| githubEventName | String | - | Github event name (e.g., “pull_request”, “pull_request_target”) |
| githubHeadRef | String | - | Github source branch name |
| githubBaseRef | String | - | Github target branch name |
| githubToken | Secret | - | Github token for API access and commit verification (when running in Github Actions) |
| gitlabCi | String | - | Gitlab CI indicator (should be “true” when running in Gitlab CI) |
| gitlabServerUrl | String | - | Gitlab server URL (e.g., “https://gitlab.com”) |
| gitlabProjectPath | String | - | Gitlab project path (e.g., “group/project”) |
| gitlabJobUrl | String | - | Gitlab job URL |
| gitlabPipelineSource | String | - | Gitlab pipeline source (should be “merge_request_event” for MRs) |
| gitlabMriid | String | - | Gitlab merge request internal ID |
| gitlabMrtitle | String | - | Gitlab merge request title |
| gitlabMrdescription | String | - | Gitlab merge request description |
| gitlabMrsourceBranch | String | - | Gitlab source branch name |
| gitlabMrtargetBranch | String | - | Gitlab target branch name |
| gitlabMrprojectUrl | String | - | Gitlab project URL |
| gitlabUserLogin | String | - | Gitlab user login |
| gitlabJobToken | Secret | - | Gitlab job token for API access and commit verification (when running in Gitlab CI) |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
init --token env:MYSECRET --workflow-name string --project-name stringfunc (m *MyModule) Example(token *dagger.Secret, workflowName string, projectName string) *dagger.ChainloopAttestation {
return dag.
Chainloop().
Init(token, workflowName, projectName)
}@function
def example(token: dagger.Secret, workflow_name: str, project_name: str) -> dagger.ChainloopAttestation:
return (
dag.chainloop()
.init(token, workflow_name, project_name)
)@func()
example(token: Secret, workflowName: string, projectName: string): ChainloopAttestation {
return dag
.chainloop()
.init(token, workflowName, projectName)
}resume() 🔗
Resume an attestation from its identifier
Return Type
Attestation !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| attestationId | String ! | - | The attestation ID |
| token | Secret ! | - | Chainloop API token |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRETfunc (m *MyModule) Example(attestationId string, token *dagger.Secret) *dagger.ChainloopAttestation {
return dag.
Chainloop().
Resume(attestationId, token)
}@function
def example(attestation_id: str, token: dagger.Secret) -> dagger.ChainloopAttestation:
return (
dag.chainloop()
.resume(attestation_id, token)
)@func()
example(attestationId: string, token: Secret): ChainloopAttestation {
return dag
.chainloop()
.resume(attestationId, token)
}withInstance() 🔗
Configure the Chainloop instance to use
Return Type
Chainloop !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| controlplaneApi | String ! | - | Example: “api.controlplane.company.com:443” |
| casApi | String ! | - | Example: “api.cas.company.com:443” |
| casCa | File | - | Path to custom CA certificate for the CAS API |
| controlplaneCa | File | - | Path to custom CA certificate for the Control Plane API |
| platformApi | String ! | - | Example: “api.app.chainloop.dev:443” |
| platformCa | File | - | Path to custom CA certificate for the Platform API |
| insecure | Boolean | - | Whether to skip TLS verification |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
with-instance --controlplane-api string --cas-api string --platform-api stringfunc (m *MyModule) Example(controlplaneApi string, casApi string, platformApi string) *dagger.Chainloop {
return dag.
Chainloop().
WithInstance(controlplaneApi, casApi, platformApi)
}@function
def example(controlplane_api: str, cas_api: str, platform_api: str) -> dagger.Chainloop:
return (
dag.chainloop()
.with_instance(controlplane_api, cas_api, platform_api)
)@func()
example(controlplaneApi: string, casApi: string, platformApi: string): Chainloop {
return dag
.chainloop()
.withInstance(controlplaneApi, casApi, platformApi)
}workflowCreate() 🔗
Create a new workflow
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| token | Secret ! | - | Chainloop API token |
| name | String ! | - | Workflow name |
| project | String ! | - | Workflow project |
| team | String | - | No description provided |
| description | String | - | No description provided |
| contractName | String | - | name of an existing contract |
| public | Boolean | - | Set workflow as public so other organizations can see it |
| skipIfExists | Boolean | - | If the workflow already exists, skip the creation and return success |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
workflow-create --token env:MYSECRET --name string --project stringfunc (m *MyModule) Example(ctx context.Context, token *dagger.Secret, name string, project string) string {
return dag.
Chainloop().
WorkflowCreate(ctx, token, name, project)
}@function
async def example(token: dagger.Secret, name: str, project: str) -> str:
return await (
dag.chainloop()
.workflow_create(token, name, project)
)@func()
async example(token: Secret, name: string, project: string): Promise<string> {
return dag
.chainloop()
.workflowCreate(token, name, project)
}Attestation 🔗
A Chainloop attestation https://docs.chainloop.dev/concepts/attestations
attestationId() 🔗
Return Type
String !Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
attestation-idfunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret) string {
return dag.
Chainloop().
Resume(attestationId, token).
AttestationId(ctx)
}@function
async def example(attestation_id: str, token: dagger.Secret) -> str:
return await (
dag.chainloop()
.resume(attestation_id, token)
.attestation_id()
)@func()
async example(attestationId: string, token: Secret): Promise<string> {
return dag
.chainloop()
.resume(attestationId, token)
.attestationId()
}orgName() 🔗
Return Type
String !Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
org-namefunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret) string {
return dag.
Chainloop().
Resume(attestationId, token).
OrgName(ctx)
}@function
async def example(attestation_id: str, token: dagger.Secret) -> str:
return await (
dag.chainloop()
.resume(attestation_id, token)
.org_name()
)@func()
async example(attestationId: string, token: Secret): Promise<string> {
return dag
.chainloop()
.resume(attestationId, token)
.orgName()
}client() 🔗
Return Type
Chainloop !Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
clientfunc (m *MyModule) Example(attestationId string, token *dagger.Secret) *dagger.Chainloop {
return dag.
Chainloop().
Resume(attestationId, token).
Client()
}@function
def example(attestation_id: str, token: dagger.Secret) -> dagger.Chainloop:
return (
dag.chainloop()
.resume(attestation_id, token)
.client()
)@func()
example(attestationId: string, token: Secret): Chainloop {
return dag
.chainloop()
.resume(attestationId, token)
.client()
}addFileEvidence() 🔗
Add a file type piece of evidence to the attestation
Return Type
Attestation !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| name | String | - | Evidence name. Don’t pass a name if the material being attested is not part of the contract Example: “my-binary” |
| path | File ! | - | The file to add |
| kind | String | - | the material type of the evidence https://docs.chainloop.dev/concepts/material-types#material-types if not provided it will either be loaded from the contract or inferred automatically |
| annotations | [String ! ] | - | List of annotations to be attached to the evidence for example: “key1=value1,key2=value2” |
| noStrictValidation | Boolean | - | Skip strict schema validation for structured materials (SBOM_CYCLONEDX_JSON, OPENAPI_SPEC, ASYNCAPI_SPEC) |
| debugMode | Boolean | - | Enable debug logging |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
add-file-evidence --path file:pathfunc (m *MyModule) Example(attestationId string, token *dagger.Secret, path *dagger.File) *dagger.ChainloopAttestation {
return dag.
Chainloop().
Resume(attestationId, token).
AddFileEvidence(path)
}@function
def example(attestation_id: str, token: dagger.Secret, path: dagger.File) -> dagger.ChainloopAttestation:
return (
dag.chainloop()
.resume(attestation_id, token)
.add_file_evidence(path)
)@func()
example(attestationId: string, token: Secret, path: File): ChainloopAttestation {
return dag
.chainloop()
.resume(attestationId, token)
.addFileEvidence(path)
}addRawEvidence() 🔗
Add a raw string piece of evidence to the attestation
Return Type
Attestation !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| name | String | - | Evidence name. Don’t pass a name if the material being attested is not part of the contract Example: “my-blob” |
| value | String ! | - | The contents of the blob |
| kind | String | - | the material type of the evidence https://docs.chainloop.dev/concepts/material-types#material-types if not provided it will either be loaded from the contract or inferred automatically |
| annotations | [String ! ] | - | List of annotations to be attached to the evidence for example: “key1=value1,key2=value2” |
| noStrictValidation | Boolean | - | Skip strict schema validation for structured materials (SBOM_CYCLONEDX_JSON, OPENAPI_SPEC, ASYNCAPI_SPEC) |
| debugMode | Boolean | - | Enable debug logging |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
add-raw-evidence --value stringfunc (m *MyModule) Example(attestationId string, token *dagger.Secret, value string) *dagger.ChainloopAttestation {
return dag.
Chainloop().
Resume(attestationId, token).
AddRawEvidence(value)
}@function
def example(attestation_id: str, token: dagger.Secret, value: str) -> dagger.ChainloopAttestation:
return (
dag.chainloop()
.resume(attestation_id, token)
.add_raw_evidence(value)
)@func()
example(attestationId: string, token: Secret, value: string): ChainloopAttestation {
return dag
.chainloop()
.resume(attestationId, token)
.addRawEvidence(value)
}container() 🔗
Build an ephemeral container with everything needed to process the attestation
Return Type
Container !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| ttl | Integer | 0 | Cache TTL for chainloop commands, in seconds Defaults to 0: no caching |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
containerfunc (m *MyModule) Example(attestationId string, token *dagger.Secret) *dagger.Container {
return dag.
Chainloop().
Resume(attestationId, token).
Container()
}@function
def example(attestation_id: str, token: dagger.Secret) -> dagger.Container:
return (
dag.chainloop()
.resume(attestation_id, token)
.container()
)@func()
example(attestationId: string, token: Secret): Container {
return dag
.chainloop()
.resume(attestationId, token)
.container()
}debug() 🔗
Return Type
Container !Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
debugfunc (m *MyModule) Example(attestationId string, token *dagger.Secret) *dagger.Container {
return dag.
Chainloop().
Resume(attestationId, token).
Debug()
}@function
def example(attestation_id: str, token: dagger.Secret) -> dagger.Container:
return (
dag.chainloop()
.resume(attestation_id, token)
.debug()
)@func()
example(attestationId: string, token: Secret): Container {
return dag
.chainloop()
.resume(attestationId, token)
.debug()
}markCanceled() 🔗
Mark the attestation as canceled
Return Type
Void !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| reason | String | - | The reason for canceling, in human-readable form |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
mark-canceledfunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret) {
return dag.
Chainloop().
Resume(attestationId, token).
MarkCanceled(ctx)
}@function
async def example(attestation_id: str, token: dagger.Secret) -> None:
return await (
dag.chainloop()
.resume(attestation_id, token)
.mark_canceled()
)@func()
async example(attestationId: string, token: Secret): Promise<void> {
return dag
.chainloop()
.resume(attestationId, token)
.markCanceled()
}markFailed() 🔗
Mark the attestation as failed
Return Type
Void !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| reason | String | - | The reason for canceling, in human-readable form |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
mark-failedfunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret) {
return dag.
Chainloop().
Resume(attestationId, token).
MarkFailed(ctx)
}@function
async def example(attestation_id: str, token: dagger.Secret) -> None:
return await (
dag.chainloop()
.resume(attestation_id, token)
.mark_failed()
)@func()
async example(attestationId: string, token: Secret): Promise<void> {
return dag
.chainloop()
.resume(attestationId, token)
.markFailed()
}push() 🔗
Generate, sign and push the attestation to the chainloop control plane
Return Type
String !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| key | Secret | - | The private key to sign the attestation |
| passphrase | Secret | - | The passphrase to decrypt the private key |
| exceptionBypassPolicyCheck | Boolean | - | Whether not fail if the policy check fails |
| format | Enum ! | "TABLE" | Output format |
| annotations | [String ! ] | - | List of annotations to be attached to the attestation for example: “key1=value1,key2=value2” |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
pushfunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret, format ) string {
return dag.
Chainloop().
Resume(attestationId, token).
Push(ctxformat)
}@function
async def example(attestation_id: str, token: dagger.Secret, format: ) -> str:
return await (
dag.chainloop()
.resume(attestation_id, token)
.push(format)
)@func()
async example(attestationId: string, token: Secret, format: ): Promise<string> {
return dag
.chainloop()
.resume(attestationId, token)
.push(format)
}status() 🔗
Check the attestation status
Return Type
String !Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
statusfunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret) string {
return dag.
Chainloop().
Resume(attestationId, token).
Status(ctx)
}@function
async def example(attestation_id: str, token: dagger.Secret) -> str:
return await (
dag.chainloop()
.resume(attestation_id, token)
.status()
)@func()
async example(attestationId: string, token: Secret): Promise<string> {
return dag
.chainloop()
.resume(attestationId, token)
.status()
}sync() 🔗
Sync will force the client to send an actual query to the chainloop control plane This is specially important to be run right after Init for example
att := chainloop.Init(ctx, token, "main")
if err := att.Sync(ctx); err != nil {
return nil, err
}
Return Type
Void !Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
syncfunc (m *MyModule) Example(ctx context.Context, attestationId string, token *dagger.Secret) {
return dag.
Chainloop().
Resume(attestationId, token).
Sync(ctx)
}@function
async def example(attestation_id: str, token: dagger.Secret) -> None:
return await (
dag.chainloop()
.resume(attestation_id, token)
.sync()
)@func()
async example(attestationId: string, token: Secret): Promise<void> {
return dag
.chainloop()
.resume(attestationId, token)
.sync()
}withRegistryAuth() 🔗
Attach credentials for a container registry. Chainloop will use them to query the registry for container image pieces of evidences
Return Type
Attestation !Arguments
| Name | Type | Default Value | Description |
|---|---|---|---|
| address | String ! | - | Registry address. Example: “index.docker.io” |
| username | String ! | - | Registry username |
| password | Secret ! | - | Registry password |
Example
dagger -m github.com/chainloop-dev/chainloop@acdfa1f6089375bed553666df0624264e6e4e4db call \
resume --attestation-id string --token env:MYSECRET \
with-registry-auth --address string --username string --password env:MYSECRETfunc (m *MyModule) Example(attestationId string, token *dagger.Secret, address string, username string, password *dagger.Secret) *dagger.ChainloopAttestation {
return dag.
Chainloop().
Resume(attestationId, token).
WithRegistryAuth(address, username, password)
}@function
def example(attestation_id: str, token: dagger.Secret, address: str, username: str, password: dagger.Secret) -> dagger.ChainloopAttestation:
return (
dag.chainloop()
.resume(attestation_id, token)
.with_registry_auth(address, username, password)
)@func()
example(attestationId: string, token: Secret, address: string, username: string, password: Secret): ChainloopAttestation {
return dag
.chainloop()
.resume(attestationId, token)
.withRegistryAuth(address, username, password)
}