{"id":13717880,"url":"https://github.com/chainloop-dev/chainloop","last_synced_at":"2026-05-01T10:01:54.883Z","repository":{"id":125454267,"uuid":"610316941","full_name":"chainloop-dev/chainloop","owner":"chainloop-dev","description":"SDLC evidence store and policy engine for your Software Supply Chain attestations, SBOMs, VEX, SARIF, QA reports, and more","archived":false,"fork":false,"pushed_at":"2026-04-24T11:16:22.000Z","size":58381,"stargazers_count":547,"open_issues_count":21,"forks_count":53,"subscribers_count":8,"default_branch":"main","last_synced_at":"2026-04-24T13:26:30.463Z","etag":null,"topics":["attestation","compliance","cyclonedx","devsecops","in-toto","license","metadata-platform","open-source-licensing","ospo","oss-compliance","regulated-industry","sbom","sbom-discovery","sbom-distribution","security","slsa","slsa-provenance","spdx","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://docs.chainloop.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainloop-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-03-06T14:30:50.000Z","updated_at":"2026-04-24T11:16:24.000Z","dependencies_parsed_at":"2025-11-30T06:07:53.010Z","dependency_job_id":null,"html_url":"https://github.com/chainloop-dev/chainloop","commit_stats":{"total_commits":18,"total_committers":2,"mean_commits":9.0,"dds":0.05555555555555558,"last_synced_commit":"29d39b98144b137774f7c0bbd383ebb62f94cd18"},"previous_names":[],"tags_count":395,"template":false,"template_full_name":null,"purl":"pkg:github/chainloop-dev/chainloop","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainloop-dev%2Fchainloop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainloop-dev%2Fchainloop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainloop-dev%2Fchainloop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainloop-dev%2Fchainloop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainloop-dev","download_url":"https://codeload.github.com/chainloop-dev/chainloop/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainloop-dev%2Fchainloop/sbom","scorecard":{"id":264205,"data":{"date":"2025-08-17T09:49:51Z","repo":{"name":"github.com/chainloop-dev/chainloop","commit":"7f341403400053ec4318c99f7552f8fb4fa38244"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":8.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":8,"reason":"26 out of 30 merged PRs checked by a CI test -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":10,"reason":"project has 7 contributing companies or organizations","details":["Info: chainloop-dev contributor org/company found, chainloop.dev contributor org/company found, bluemobile-finapps contributor org/company found, chainloop contributor org/company found, solrpl contributor org/company found, archipelo contributor org/company found, itsilesia contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: :0"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yaml:40"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/package_chart.yaml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/chainloop-dev/chainloop/package_chart.yaml/main?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/lint.yml:66","Warn: downloadThenRun not pinned by hash: .github/workflows/release.yaml:28","Warn: downloadThenRun not pinned by hash: .github/workflows/release.yaml:66","Warn: downloadThenRun not pinned by hash: .github/workflows/release.yaml:193","Info:  21 out of  21 GitHub-owned GitHubAction dependencies pinned","Info:  13 out of  14 third-party GitHubAction dependencies pinned","Info:   6 out of   6 containerImage dependencies pinned","Info:   0 out of   4 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 26 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":8,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: signed release artifact: chainloop-darwin-amd64.sig: https://api.github.com/repos/chainloop-dev/chainloop/releases/assets/283340910","Info: signed release artifact: chainloop-darwin-amd64.sig: https://api.github.com/repos/chainloop-dev/chainloop/releases/assets/281752448","Info: signed release artifact: chainloop-darwin-amd64.sig: https://api.github.com/repos/chainloop-dev/chainloop/releases/assets/281489820","Info: signed release artifact: chainloop-darwin-amd64.sig: https://api.github.com/repos/chainloop-dev/chainloop/releases/assets/280603253","Info: signed release artifact: chainloop-darwin-amd64.sig: https://api.github.com/repos/chainloop-dev/chainloop/releases/assets/279931744","Warn: release artifact v1.41.1 does not have provenance: https://api.github.com/repos/chainloop-dev/chainloop/releases/240435938","Warn: release artifact v1.41.0 does not have provenance: https://api.github.com/repos/chainloop-dev/chainloop/releases/239325664","Warn: release artifact v1.40.0 does not have provenance: https://api.github.com/repos/chainloop-dev/chainloop/releases/239110321","Warn: release artifact v1.39.0 does not have provenance: https://api.github.com/repos/chainloop-dev/chainloop/releases/238562737","Warn: release artifact v1.38.3 does not have provenance: https://api.github.com/repos/chainloop-dev/chainloop/releases/238003711"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:21","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:20","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/github_release.yaml:23","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/github_release.yaml:24","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/package_chart.yaml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:40","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:41","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:13","Info: found token with 'none' permissions: .github/workflows/github_release.yaml:1","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/lint.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/package_chart.yaml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yaml:10","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel permissions set to 'read-all': .github/workflows/sync_contracts.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:12"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3770","Warn: Project is vulnerable to: GO-2024-3005"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T11:34:05.966Z","repository_id":125454267,"created_at":"2025-08-17T11:34:05.966Z","updated_at":"2025-08-17T11:34:05.966Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32492594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","compliance","cyclonedx","devsecops","in-toto","license","metadata-platform","open-source-licensing","ospo","oss-compliance","regulated-industry","sbom","sbom-discovery","sbom-distribution","security","slsa","slsa-provenance","spdx","supply-chain-security"],"created_at":"2024-08-03T00:01:28.581Z","updated_at":"2026-05-01T10:01:54.876Z","avatar_url":"https://github.com/chainloop-dev.png","language":"Go","funding_links":[],"categories":["Build techniques","Go","Security and Supply Chain"],"sub_categories":["Supply chain beyond libraries","Streaming Operations"],"readme":"# Chainloop\n\n[![LFX Health Score](https://insights.linuxfoundation.org/api/badge/health-score?project=chainloop)](https://insights.linuxfoundation.org/project/chainloop)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/chainloop-dev/chainloop/badge)](https://securityscorecards.dev/viewer/?uri=github.com/chainloop-dev/chainloop)\n[![Go Report Card](https://goreportcard.com/badge/github.com/chainloop-dev/chainloop)](https://goreportcard.com/report/github.com/chainloop-dev/chainloop)\n![Test passing](https://github.com/chainloop-dev/chainloop/actions/workflows/test.yml/badge.svg?branch=main)\n[![Chat on Slack](https://img.shields.io/badge/slack-chainloop-blue?logo=slack)](https://join.slack.com/t/chainloop-community/shared_invite/zt-2k34dvx3r-u85uGP_KiLC6ic5Wy4aRnQ)\n[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/chainloop-dev/chainloop/blob/main/LICENSE.md)\n\n## What is it?\n\n[Chainloop](https://github.com/chainloop-dev/chainloop) is an open-source evidence store for your Software Supply Chain attestations, Software Bill of Materials (SBOMs), VEX, SARIF, QA reports, and more. With Chainloop, Security, Compliance, and Risk management teams can define security and compliance policies, what evidence and artifacts they want to receive, and where to store them. On the other hand, developers are shielded from all this complexity by being given simple instructions on what to provide when instrumenting their CI/CD pipelines.\n\nTo learn more about the project motivation please look at [our documentation](https://docs.chainloop.dev).\n\n## How does it work?\n\n### Compliant Single Source of Truth\n\nCraft and store attestation metadata and artifacts via a single integration point regardless of your CI/CD provider choice.\n\n![Chainloop Overview](./docs/img/overview-1.png)\n\nThe result is having a SLSA level 3 compliant single Source of truth for metadata, artifacts and attestations built on OSS standards such as [Sigstore](https://www.sigstore.dev/), [in-toto](https://in-toto.io/), [SLSA](https://slsa.dev) and [OCI](https://github.com/opencontainers/image-spec/blob/main/spec.md).\n\nChainloop also makes sure the crafting of artifacts and attestation follows **best practices and meets the requirements** declared in their associated Workflow Contract.\n\n### Declarative, contract-based attestation\n\nOne key aspect is that in Chainloop, CI/CD integrations are declared via [**Workflow Contracts**](https://docs.chainloop.dev/concepts/contracts).\n\nA Workflow Contract gives Compliance and Security teams **full control over what kind of data (build info, materials) must be received as part of the attestation and the environment where these workflows must be executed at**. This enables an easy, and maintainable, way of propagating and enforcing requirements downstream to your organization.\n\nYou can think of it as an **API for your organization's Software Supply Chain** that both parties, development and Compliance and Security teams can use to interact effectively.\n\n![Chainloop Contracts](./docs/img/overview-3.png)\n\n### Policy as code\n\nCompliance and Security teams can [craft](https://docs.chainloop.dev/guides/custom-policies) [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) policies, and [attach](https://docs.chainloop.dev/concepts/policies) them to workflow contracts. Those policies will be automatically evaluated, and their results will be added to the attestation before signing and storage.\n\n\n### We meet you where you are with third-party integrations\n\nOperators can set up third-party integrations such as [Dependency-Track](https://docs.chainloop.dev/guides/dependency-track), or [Guac](https://docs.chainloop.dev/guides/guac/) for SBOM analysis or a storage backend such as an OCI registry, or cloud blob storage to place the received artifacts, pieces of evidence and attestation metadata.\n\n![Chainloop Overview](./docs/img/overview-2.png)\n\nCompliance and Security teams can mix and match with different integrations while **not requiring developers to make any changes on their side**!\n\nTo learn more and to find the list of available integrations, check our [integrations page](./devel/integrations.md).\n\n### Role-tailored experience\n\nChainloop makes sure to clearly define the responsibilities, experience and functional scope of the **two main personas, Compliance/Security and Development teams**.\n\nCompliance and Security teams are the ones in charge of defining the Workflow Contracts, crafting policies, setting up third-party integrations, or having access to the control plane where all the Software Supply Chain Security bells and whistles are exposed.\n\nDevelopment teams on the other hand, just need to integrate Chainloop's jargon-free [crafting tool](https://docs.chainloop.dev/concepts/attestations#attestation-lifecycle) and follow the steps via a familiar DevExp to make sure they comply with the Workflow Contract defined by the SecOps team. No need to learn in-toto, signing, SLSA, OCI, APIs, nada :)\n\n## Supported Pieces of Evidence / Materials\n\nDuring the attestation process, you can attach different pieces of evidence and artifacts that will get uploaded to the [Content Addressable Storage](https://docs.chainloop.dev/concepts/cas-backend) (if applicable) and referenced in a signed in-toto attestation.\n\nChainloop supports the collection of the following list of evidence types. For the full list please refer to [this page](https://docs.chainloop.dev/concepts/material-types)\n\n- [CycloneDX SBOM](https://github.com/CycloneDX/specification)\n- [SPDX SBOM](https://spdx.dev/specifications/)\n- [OpenVEX](https://github.com/openvex)\n- [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/)\n- [Container Image Reference](https://github.com/opencontainers/image-spec)\n- [Helm Chart](https://helm.sh/docs/topics/charts/)\n- [BlackDuck SCA](https://www.blackduck.com/software-composition-analysis-tools/black-duck-sca.html)\n- [ZAP DAST](https://github.com/marketplace/actions/zap-baseline-scan)\n- [PrismaCloud Twistcli Scan](https://docs.prismacloud.io/en/compute-edition/30/admin-guide/tools/twistcli-scan-images)\n- [CSAF Security Incident Report](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#42-profile-2-security-incident-response)\n- [CSAF Informational Advisory](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#43-profile-3-informational-advisory)\n- [CSAF Security Advisory](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#44-profile-4-security-advisory)\n- [CSAF VEX](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex)\n- [Gitlab Security report](https://docs.gitlab.com/ee/user/application_security/)\n- [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)\n- [JaCoCo XML Coverage Reports](https://www.jacoco.org/jacoco/trunk/doc/)\n- [SLSA Provenance files](https://slsa.dev/spec/v1.1/provenance)\n- Attestation: existing Chainloop attestations.\n- Artifact Type: It represents a software artifact.\n- Custom Evidence Type: Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc.\n- Key-Value metadata pairs\n\n## Getting started\n\nFollow the [quickstart](https://docs.chainloop.dev/quickstart) or the [getting started guide](https://docs.chainloop.dev/get-started) for detailed information on a) how to download and configure the Chainloop CLI and b) how to deploy Chainloop on your Kubernetes Cluster.\n\n### Command Line Interface (CLI) installation\n\n\u003e Alternatively, you can download the CLI from the [releases pages](https://github.com/chainloop-dev/chainloop/releases) or [build it from source](./CONTRIBUTING.md).\n\nTo **install the latest version** for macOS, Linux or Windows (using [WSL](https://learn.microsoft.com/en-us/windows/wsl/install)) just choose one of the following installation methods.\n\n```bash\ncurl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --oss\n```\n\n\u003e To install the **enterprise edition** instead, omit the `--oss` flag.\n\nyou can retrieve a specific version with\n\n```bash\ncurl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --oss --version v1.7.0\n```\n\nand customize the install path (default to /usr/local/bin)\n\n```bash\ncurl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --oss --path /my-path\n```\n\nif [`cosign`](https://docs.sigstore.dev/cosign) is present in your system, in addition to the checksum check, a signature verification will be performed. This behavior can be enforced via the `--force-verification` flag.\n\n```bash\ncurl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- --oss --force-verification\n```\n\n### Deploy Chainloop (optional)\n\nDownloading the CLI is everything you need to give Chainloop a try, since, by default, it points to a [running instance of Chainloop](https://app.chainloop.dev).\n\nYou can also **run your own Chainloop instance** on your Kubernetes cluster by leveraging [this Helm Chart](./deployment/chainloop/).\n\n### Configure CLI (optional)\n\nIf you are running your [own instance](https://github.com/chainloop-dev/chainloop) of the Control Plane. You can make the CLI point to your instance by using the `chainloop config save` command.\n\n```sh\nchainloop config save \\\n  --control-plane my-controlplane.acme.com \\\n  --artifact-cas cas.acme.com\n```\n\n### Authentication\n\nAuthenticate to the Control Plane by running\n\n```bash\n$ chainloop auth login\n```\n\n### Finishing the setup\n\nOnce you've been logged in, follow [these instructions](https://docs.chainloop.dev/get-started/setup) to learn how to set up your account.\n## Documentation\n\nTo learn more, please visit the Chainloop project's documentation website, https://docs.chainloop.dev where you will find a getting started guide, FAQ, examples, and more.\n\n## Community / Discussion / Support\n\nChainloop is developed in the open and is constantly improved by our users, contributors and maintainers. Got a question, comment, or idea? Please don't hesitate to reach out via:\n\n- GitHub [Issues](https://github.com/chainloop-dev/chainloop/issues)\n- [Slack](https://join.slack.com/t/chainloop-community/shared_invite/zt-2k34dvx3r-u85uGP_KiLC6ic5Wy4aRnQ)\n- Youtube [Channel](https://www.youtube.com/channel/UCISrWrPyR_AFjIQYmxAyKdg)\n\n## Contributing\n\nWant to get involved? Contributions are welcome.\n\nIf you are ready to jump in and test, add code, or help with documentation, please follow the instructions on\nour [Contribution](CONTRIBUTING.md) page. At all times, follow our [Code of Conduct](./CODE_OF_CONDUCT.md).\n\nSee the [issue tracker](https://github.com/chainloop-dev/chainloop/issues) if you're unsure where to start, especially the [Good first issue](https://github.com/chainloop-dev/chainloop/labels/good%20first%20issue) label.\n\n## Changelog\n\nTake a look at the list of [releases](http://github.com/chainloop-dev/chainloop/releases) to stay tuned for the latest features and changes.\n\n## License\n\nChainloop is released under the Apache License, Version 2.0. Please see the [LICENSE](./LICENSE.md) file for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainloop-dev%2Fchainloop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainloop-dev%2Fchainloop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainloop-dev%2Fchainloop/lists"}