> ## Documentation Index > Fetch the complete documentation index at: https://docs.chainloop.dev/llms.txt > Use this file to discover all available pages before exploring further. # Material Types ## Built-in material types Chainloop supports the following pieces of evidence types that can be attached during the attestation process. | Name | ID | Description | | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | - | | [Artifact Type]() | ARTIFACT | It represents a software artifact. | | | [Attestation]() | ATTESTATION | Existing Chainloop attestations. | | | [BlackDuck SCA]() | BLACKDUCK\_SCA\_JSON | | | | [Container Image Reference](https://github.com/opencontainers/image-spec) | CONTAINER\_IMAGE | A reference to a container image. It will get resolved and referenced by its sha | | | [CSAF Informational Advisory](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#43-profile-3-informational-advisory) | CSAF\_INFORMATIONAL\_ADVISORY | | | | [CSAF Security Advisory](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#44-profile-4-security-advisory) | CSAF\_SECURITY\_ADVISORY | | | | [CSAF Security Incident Report](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#42-profile-2-security-incident-response) | CSAF\_SECURITY\_INCIDENT\_RESPONSE | | | | [CSAF VEX](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex) | CSAF\_VEX | | | | [Custom Evidence Type]() | EVIDENCE | Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc. | | | [GitHub Advanced Security Code scans](https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28) | GHAS\_CODE\_SCAN | | | | [GitHub Advanced Security Dependency scans](https://docs.github.com/en/rest/dependabot/alerts?apiVersion=2022-11-28) | GHAS\_DEPENDENCY\_SCAN | | | | [GitHub Advanced Security Secret scans](https://docs.github.com/en/rest/secret-scanning/secret-scanning?apiVersion=2022-11-28) | GHAS\_SECRET\_SCAN | | | | [GitLab Security report](https://docs.gitlab.com/ee/user/application_security/) | GITLAB\_SECURITY\_REPORT | GitLab Security reports in JSON format | | | [Helm Chart](https://helm.sh/docs/topics/charts/) | HELM\_CHART | A released Helm chart in tarball format | | | [JaCoCo XML Report](https://www.jacoco.org/jacoco/trunk/doc/) | JACOCO\_XML | | | | [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format) | JUNIT\_XML | | | | [OpenVEX](https://github.com/openvex) | OPENVEX | Open Vulnerability and Exposure eXchange (OpenVEX) format | | | [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/) | SARIF | | | | [CycloneDX SBOM](https://github.com/CycloneDX/specification) | SBOM\_CYCLONEDX\_JSON | A CycloneDX Software Bill of Materials (SBOM) in JSON format | | | [SPDX SBOM](https://spdx.dev/specifications/) | SBOM\_SPDX\_JSON | An SPDX Software Bill of Materials (SBOM) in JSON format | | | [Key-Value metadata pairs]() | STRING | | | | [PrismaCloud Twistcli Scan](https://docs.prismacloud.io/en/compute-edition/30/admin-guide/tools/twistcli-scan-images) | TWISTCLI\_SCAN\_JSON | | | | [ZAP DAST zip report](https://github.com/marketplace/actions/zap-baseline-scan) | ZAP\_DAST\_ZIP | Zap DAST report in zip format that matches the format returned from Zap's GitHub Action | | | [SLSA provenance attestation](https://slsa.dev/spec/v1.1/provenance) | SLSA\_PROVENANCE | SLSA provenance file generated by GitHub or upstream slsa-generator | | | [Chainloop Runner Context]() | CHAINLOOP\_RUNNER\_CONTEXT | Represents the runner context in which the attestation is crafted in a JSON format | | | [Pull request metadata from GitHub or GitLab](https://github.com/chainloop-dev/chainloop/blob/4d6157bbb4269792b98fa7238e3ec2cecc55b7c2/internal/schemavalidators/internal_schemas/prinfo/pr-info-1.0.schema.json) | CHAINLOOP\_PR\_INFO | Gathered automatically by the Chainloop CLI when a pull request or merge request is detected | | See below an example on how to use them in your contract or refer to [this guide](/concepts/contracts#writing-contracts) to learn more about how to use them. ```yaml skynet.contract.yaml theme={"dark"} apiVersion: chainloop.dev/v1 kind: Contract metadata: name: skynet-contract spec: # Arbitrary set of annotations can be added to the contract and will be part of the attestation annotations: - name: version value: oss # if the value is left empty, it will be required and resolved at attestation time # https://docs.chainloop.dev/concepts/operator/material-types materials: # CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest - type: CONTAINER_IMAGE name: skynet-control-plane # The output flag indicates that the material will be part of the attestation subject output: true # Arbitrary annotations can be added to the material annotations: - name: component value: control-plane # The value can be left empty so it can be provided at attestation time - name: asset # ARTIFACT kinds will first get uploaded to your artifact registry via the built-in Content Addressable Storage (CAS) # Optional dockerfile - type: ARTIFACT name: dockerfile optional: true # SBOMs will be uploaded to the artifact registry and referenced in the attestation # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - type: SBOM_CYCLONEDX_JSON name: skynet-sbom # CSAF_VEX and OPENVEX are supported - type: OPENVEX name: disclosure # And static analysis reports in SARIF format - type: SARIF name: static-out # or additional tools - type: TWISTCLI_SCAN_JSON name: scan-result # https://docs.chainloop.dev/concepts/policies policies: materials: # policies applied to materials - ref: file://cyclonedx-licenses.yaml attestation: # policies applied to the whole attestation - ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2) # Env vars we want the system to resolve and inject during attestation initialization # Additional ones can be inherited from the specified runner context below envAllowList: - CUSTOM_VAR # Enforce in what runner context the attestation must happen # If not specified, the attestation crafting process is allowed to run anywhere runner: type: "GITHUB_ACTION" ``` ## Custom Material Types (Piece of Evidence) In some cases, you might want to have your custom piece of evidence so you can attest them (as general purpose `EVIDENCE` material type) and run policies on them. Learn more about the recommended format in [this guide](/guides/custom-policies#using-a-custom-piece-of-evidence).