For years, the supply chain security community has been working hard to generate security metadata about repositories, software builds, vulnerability reports, releases, and SBOMs that describe how software is composed.
Transparent build processes with visible supply chains are great, but all that information has been remarkably difficult to use. Until now!
Meet AMPEL, the Amazing Multi-Purpose Policy Engine. Ampel (
https://github.com/carabiner-dev/ampel) is the missing piece in the supply chain ecosystem: an open source policy engine that natively understands in-toto attestations, verifies keyless Sigstore signatures and understands any attestation predicate type.
Ampel is embeddable: it can look into SBOMs and warn about bad dependencies, understand security scans and gate builds when vulnerabilities are present, or stop artifacts from publishing when they don't meet security frameworks.
Ampel is slowly building an ecosystem: Starting with the bnd attester, the Ampel universe has tools that can work across the SLDC to secure CI/CD systems.
In this talk, we'll explore with practical examples how Ampel can ensure compliance of a hardened pipeline through verifiable evidence.
