{"id":25399134,"url":"https://github.com/carabiner-dev/ampel","last_synced_at":"2026-04-18T22:05:58.056Z","repository":{"id":276884830,"uuid":"924396105","full_name":"carabiner-dev/ampel","owner":"carabiner-dev","description":"🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L)","archived":false,"fork":false,"pushed_at":"2026-03-31T23:05:25.000Z","size":2848,"stargazers_count":42,"open_issues_count":4,"forks_count":10,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-04-01T01:26:21.972Z","etag":null,"topics":["actions","attestation","attestations","cel","intoto","policy","sigstore","supply-chain","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/carabiner-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-01-29T23:21:16.000Z","updated_at":"2026-03-31T23:05:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"12095785-d6f7-41e1-a610-b54d5839dafd","html_url":"https://github.com/carabiner-dev/ampel","commit_stats":null,"previous_names":["carabiner-dev/ampel"],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/carabiner-dev/ampel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carabiner-dev%2Fampel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carabiner-dev%2Fampel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carabiner-dev%2Fampel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carabiner-dev%2Fampel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/carabiner-dev","download_url":"https://codeload.github.com/carabiner-dev/ampel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/carabiner-dev%2Fampel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31290885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","attestation","attestations","cel","intoto","policy","sigstore","supply-chain","supply-chain-security"],"created_at":"2025-02-15T23:29:15.551Z","updated_at":"2026-04-01T18:32:48.342Z","avatar_url":"https://github.com/carabiner-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🔴🟡🟢 AMPEL\n\n### The Amazing Multi-Purpose Policy Engine (and L)\n\n![Image](https://github.com/user-attachments/assets/95d714a4-2401-4c33-a978-1016d5a961f6)\nAmpel is a lightweight supply chain policy engine designed to be embedded\nacross the software development lifecycle to make sure that source code,\ntools and the build environment can be trusted by verifying unforgeable\nmetadata captured in signed attestations.\n\n![Image](https://github.com/user-attachments/assets/c3794605-ff84-48dd-be3f-ccefd702f301)\n\n## Attesting Metadata\n\nAmpel works with attestations in the [in-toto](https://in-toto.io/) format and has native verification\nsupport for sigstore bundles. Signing schemes are pluggable, meaning other\nsignature verification mechanisms can be added.\n\nAs a supply chain security tool, Ampel can work with common formats like\n[SLSA](https://slsa.dev) to check software provenance and SBOMs to gate on\ndepedndency data, but policies can be written against any custom data in JSON.\n\nThe policy engine also supports __transformers__ that can read and verify attestations to then convert them to other formats, simplifying policy\nauthoring.\n\n[Diagram]\n\nFor example, by loading the vulnerability report transformer, Ampel\ncan transform the output of the common vulnerability scanners to a common format, such as OSV, allowing you to write a single policy to verify the findings of any scanner.\n\n## Installing\n\n### Download a Binary\n\nPre-built binaries for Linux, macOS and Windows are available on the\n[GitHub Releases](https://github.com/carabiner-dev/ampel/releases) page.\nDownload the archive for your platform, extract it and place the `ampel`\nbinary somewhere in your `$PATH`.\n\n### Go Install\n\nIf you have Go installed, you can install ampel directly:\n\n```shell\ngo install github.com/carabiner-dev/ampel/cmd/ampel@latest\n```\n\n### GitHub Action\n\nAmpel is also available as a GitHub Action for use in CI/CD workflows.\nSee [carabiner-dev/actions](https://github.com/carabiner-dev/actions) for\nsetup instructions and usage examples.\n\n## The Ampel Ecosystem\n\n### Attestations Collector\n\nPolicy evaluation relies on attestations. AMPEL relies on the\n[Carabiner Collector](https://github.com/carabiner-dev/collector)\nto read attestations from all sorts of backends, from repositories, registries,\nfilesystems and more.\n\n### Other Tools\n\nAmpel is part of a growing ecosystem of tools that let software developers and\nsecurity engineers harden their SDLC processes. The more mature siblings of\nAMPEL are:\n\n- [bnd](https://github.com/carabiner-dev/bnd): A tool to attest, sign and verify\ndata. It also has features that work with attestations and sigstore bundles.\n\n- [snappy](https://github.com/carabiner-dev/snappy): Takes snapshots of APIs to\nattest their state.\n\n- [unpack](https://github.com/carabiner-dev/unpack): A dependency extractor with\nSBOM visualization and generation capabilities.\n\n## Policies\n\nAmpel uses a model of policies as code. The policy frame can be written in either\n**JSON** or **HJSON** format (HJSON is recommended for better readability with\nsupport for comments and relaxed syntax). The evaluation code is written in a\nsupported runtime. At present Ampel ships with a CEL (Common Expression Language)\nruntime and more runtimes are in the roadmap.\n\n### Policy Structure\n\nThe structure of an Ampel policy is described at length in its own documentation\nAt a higher level a policy consists of:\n\n- Metadata\n- Contextual Info\n- Attestation Spec\n- Identity Definition\n- Tenets (one or more)\n\n### Tenet\n\nA policy's _tenets_ (those principles we hold to be true) are the core of the\npolicy. Each tenet represents a check Ampel will perform on the avilable evidence.\n\nThe tenet structure contains the evaluation code that will be executed to check\nif the tenet holds true.\n\nA policy's tenets can be evaluated in two modes:\n\n- `AND` a policy will evaluate to PASS when all tenets are true.\n- `OR` a policy will `PASS` if at least one tenet evaluates to true. Useful when\nthere is more than one way to check.\n\nThink of tenets as questions to ask your attested data:\n\n- Was this artifact built by my GitHub account?\n- Does my vulnerability report contain HIGH CVEs?\n- Does this repository have MFA enabled?\n- Is this project licensed under an approved OSI license?\n- ... and more.\n\n## Link to Compliance Controls\n\nA policy can be linked to a security framework control. When evaluating the\ncompliance status of artifacts against a security framework, Ampel can\nlink the policies to controls and checks defined in OSCAL catalogs and profiles.\n\n## Results and Results Attestations\n\nAmpel can report the status of a policy or block processes when a policy evaluates\nto `FAIL`. But the evaluation results are rich with metadata and human-friendly\nmessages which makes them suitable to display in various situations such as reports,\nwebpages, CI/CD systems, etc.\n\nA powerful feature of Ampel is that evaluation results can also be attested.\nThis means that results can be used as input attestations for further policies,\nmaking it simple to check for complex processes further downstream after they\nhave been checked once.\n\n### Policy Sets\n\nMultiple policies can be specified together in a `PolicySet`. This is a handy way\nto maintain policies that relate to each other in a single file to make them\navailable to the engine at evaluation time. The results of policies tied together\nin a PolicySet can also be reported together in a ResultsSet.\n\n## Copyright\n\nAmpel is released under the Apache 2.0 license by Carabiner Systems, Inc.\nFeel free to contribute patches or open an issue if you find a problem. Feedback\nis always welcome!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarabiner-dev%2Fampel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcarabiner-dev%2Fampel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarabiner-dev%2Fampel/lists"}