homepage_url
https://github.com/carabiner-dev/ampel
contact_email
puerco@carabiner.dev
code_view_url
https://github.com/carabiner-dev/ampel
spdx_license_expression
Apache-2.0
description
AMPEL is a supply chain policy engine designed to be embedded across the software development lifecycle, guaranteeing that source, tools, and build environments can be trusted to consume, run, and deploy. AMPEL applies reusable code policies to signed evidence (attestations), driving CICD systems, repositories, and deployments.
As an open source project, AMPEL is format-agnostic and supports any security metadata format out of the box. It can be extended with format-specific extensions, allowing for increasingly sophisticated policies. And it ships some cool ones, too!
If you build, ship, or deploy software, give it a spin. We’d love to hear your feedback.
primary_languages
go
short_term_roadmap
- OpenSSF sandbox donation
policyctl release- More attestation sources
- Native sigstore signing
- SVR output support
long_term_roadmap
- More tool integrations (embedding AMPEL)
- Kubernetes admission controller
- Native OSCAL support
- Runtimes: cedar, rego, starlark
proprietary_data
commercial_features
capabilities
other_capabilities
AMPEL supports remote policy referencing; policies can be signed, expired, and templated. It has other advanced features, such as policy and policy group composition to model complex frameworks, and it can map policies to framework requirements (CRA, wink wink).
It can be extended in many ways: alternative runtimes, transformers, and new runtime functions. AMPEL has a pluggable evidence collector that can read from a growing list of sources, including repositories, registries, HTTP servers, and more.
The project offers ready to use GitHub actions and an open source community policy repository that already hosts policies to verify popular security formats.
homepage_url
https://github.com/carabiner-dev/ampel
contact_email
puerco@carabiner.dev
code_view_url
https://github.com/carabiner-dev/ampel
spdx_license_expression
Apache-2.0
description
AMPEL is a supply chain policy engine designed to be embedded across the software development lifecycle, guaranteeing that source, tools, and build environments can be trusted to consume, run, and deploy. AMPEL applies reusable code policies to signed evidence (attestations), driving CICD systems, repositories, and deployments.
As an open source project, AMPEL is format-agnostic and supports any security metadata format out of the box. It can be extended with format-specific extensions, allowing for increasingly sophisticated policies. And it ships some cool ones, too!
If you build, ship, or deploy software, give it a spin. We’d love to hear your feedback.
primary_languages
go
short_term_roadmap
policyctlreleaselong_term_roadmap
proprietary_data
commercial_features
capabilities
other_capabilities
AMPEL supports remote policy referencing; policies can be signed, expired, and templated. It has other advanced features, such as policy and policy group composition to model complex frameworks, and it can map policies to framework requirements (CRA, wink wink).
It can be extended in many ways: alternative runtimes, transformers, and new runtime functions. AMPEL has a pluggable evidence collector that can read from a growing list of sources, including repositories, registries, HTTP servers, and more.
The project offers ready to use GitHub actions and an open source community policy repository that already hosts policies to verify popular security formats.