Automic VaultAutomic Vault

brew

Install chainloop-cli with Homebrew

CLI for interacting with Chainloop. Version 1.103.1 via Homebrew; verified 2026-07-01.

install

Additional install commands

macOS

Homebrewverified ยท 100%
brew install chainloop-cli

local Homebrew formula metadata

overview

Package summary

CLI for interacting with Chainloop

Commands and aliases

  • chainloop

history

Project history and usage

Chainloop CLI is the developer-facing command-line interface for Chainloop's software supply-chain evidence store and attestation platform. It is used to initialize attestations, add evidence such as SBOMs or vulnerability reports, sign metadata, and push it into Chainloop for validation and storage.

Project history

Chainloop was introduced on May 22, 2023 as an API for an organization's software supply chain, built around a SLSA level 3 provenance-compliant control plane and a contract-based attestation process. The README describes Chainloop as an open-source evidence store for attestations, SBOMs, VEX, SARIF, QA reports, and related software-delivery evidence.

Adoption history

The official README and docs emphasize use across CI/CD pipelines, with developers using the CLI while security and compliance teams define workflow contracts, policies, storage, and integrations. Chainloop documentation and changelogs show the platform expanding from attestation capture into policies, compliance frameworks, vulnerability management, integrations, AI coding-session evidence, and enterprise platform features.

How it is used

The quickstart guides users through installing the CLI, logging in, initializing an attestation, adding a container image, SBOM, and vulnerability report, then pushing the signed attestation. The CLI reference documents commands for applying YAML resources, uploading/downloading artifacts, creating attestations, and passing configuration through ~/.config/chainloop/config.toml or environment variables such as CHAINLOOP_TOKEN.

Why package nerds care

Package nerds care about chainloop-cli because it is a modern supply-chain CLI that wraps several packaging-era concerns: SBOMs, provenance, signatures, OCI storage, SLSA, in-toto, Sigstore, policy-as-code, and CI/CD evidence capture. Homebrew packaging gives developers a local install path for a tool meant to be embedded in automated delivery pipelines.

Timeline

  • 2023: Chainloop was introduced publicly as an early-access software supply-chain attestation platform.
  • 2024: Chainloop changelogs added contract-less attestations, material auto-discovery, broader evidence types, policies, and Prometheus-oriented monitoring.
  • 2026: Documentation presents Chainloop as a centralized evidence store with real-time visibility, automated compliance, policy evaluation, and CLI-driven attestation workflows.

Related projects

  • Chainloop is built around or integrates with SLSA, in-toto, Sigstore, OCI registries, OPA/Rego policies, Dependency-Track, GUAC, CycloneDX, SPDX, OpenVEX, SARIF, CSAF, GitHub Actions, GitLab CI, and Kubernetes/Helm deployment paths.

security posture

No protected-tool coverage found yet

No matching local secret-handling manifest was found for chainloop-cli. Nucleus package metadata is still published here so future coverage has a stable package URL.

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
~/.config/chainloop/config.toml

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.config/chainloop/config.toml

executables

Installed executables

CommandKindExposureNote
chainloopcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.103.1
manager updated2026-07-01
local dataok
upstreamcurrent
latest detectedv1.103.1

https://github.com/chainloop-dev/chainloop

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:chainloop-cli
Version1.103.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/chainloop-cli
Homepagehttps://docs.chainloop.dev
Repositoryhttps://github.com/chainloop-dev/chainloop
Upstream docshttps://docs.chainloop.dev/
LicenseApache-2.0
Source archivehttps://github.com/chainloop-dev/chainloop/archive/refs/tags/v1.103.1.tar.gz
Last updated2026-07-01T15:21:51Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namechainloop-cli
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment