LinuxCommandLibrary

chainctl

Record and verify build provenance

TLDR

Authenticate to the Chainguard Platform

$ chainctl auth login
copy

Logout from the Chainguard Platform
$ chainctl auth logout
copy

Update to the latest version
$ chainctl update
copy

List images available to your account
$ chainctl images list
copy

List image repositories available to your account
$ chainctl images repos list
copy

Examine the history of an image tag in chainctl (e.g., image=python tag=3)
$ chainctl images history [image]:[tag]
copy

List package version data from repositories available to your account (e.g., package_name=go)
$ chainctl packages versions list [package_name]
copy

Display version
$ chainctl version
copy

SYNOPSIS

chainctl [GLOBAL FLAGS] <COMMAND> [<ARGS>]

PARAMETERS

--api-url string
    Override default API server URL

--debug
    Enable verbose debug logging

--help, -h
    Show help for chainctl or subcommand

--output, -o string
    Output format: table|json|yaml (default table)

--profile string
    Chainguard profile name

--tenant string
    Chainguard tenant ID

--token string
    Authentication token (insecure)

DESCRIPTION

chainctl is the official command-line interface (CLI) for the Chainguard platform, designed to streamline interactions with Chainguard's secure container image registry and policy enforcement tools.

Chainguard specializes in wolfi-based, minimal Linux images with SLSA provenance, signed attestations, and runtime policies to enhance supply chain security. chainctl enables users to authenticate, manage images, generate and apply policies, enroll systems for attestation, search catalogs, and more.

Key workflows include logging in with OIDC, generating policy.json files for cosign verification, enrolling endpoints for continuous monitoring, and inspecting image metadata like SBOMs and signatures. It supports OCI-compliant operations and integrates with tools like Docker, Podman, and Kubernetes.

Ideal for DevSecOps teams enforcing least-privilege policies and zero-CVE images, chainctl simplifies adoption of reproducible, auditable containers. Debug mode aids troubleshooting, while structured output (JSON/YAML/table) fits automation pipelines.

CAVEATS

Requires Chainguard account and network access to api.chainsafe.io or equivalent. Not all features available in free tier. Subcommands have additional flags; use chainctl <cmd> --help for details.

INSTALLATION

curl -sSfL https://pkg.copilot.sh/install.sh | bash -s chainctl

COMMON USAGE

chainctl auth login for OIDC auth.
chainctl images search nginx to find images.
chainctl policies generate --platform linux/amd64 > policy.json for verification policy.

HISTORY

Developed by Chainguard (founded 2021) as part of wolfi/Chainguard Images launch in 2022. Evolved with Sigstore integration and policy-as-code in 2023 updates, focusing on SLSA Level 3 compliance.

SEE ALSO

cosign(1), syft(1), grype(1), docker(1)

Copied to clipboard