Tool name: 🔴🟡🟢 AMPEL (Amazing Multipurpose Policy Engine (and L)) #83
Description
homepage_url
https://github.com/carabiner-dev/ampel
contact_email
code_view_url
https://github.com/carabiner-dev/ampel
spdx_license_expression
Apache-2.0
description
AMPEL is a supply chain policy engine designed to be embedded across the software development lifecycle, guaranteeing that source, tools, and build environments can be trusted to consume, run, and deploy. AMPEL applies reusable code policies to signed evidence (attestations), driving CICD systems, repositories, and deployments.
As an open source project, AMPEL is format-agnostic and supports any security metadata format out of the box. It can be extended with format-specific extensions, allowing for increasingly sophisticated policies. And it ships some cool ones, too!
If you build, ship, or deploy software, give it a spin. We’d love to hear your feedback.
primary_languages
go
short_term_roadmap
- OpenSSF sandbox donation
policyctlrelease- More attestation sources
- Native sigstore signing
- SVR output support
long_term_roadmap
- More tool integrations (embedding AMPEL)
- Kubernetes admission controller
- Native OSCAL support
- Runtimes: cedar, rego, starlark
proprietary_data
- Yes, the tool depends on proprietary data sources
commercial_features
- Yes, the tool has a commercial version with different/additional features
capabilities
- Identifiers - Use Package-URL (PURL) identifiers
- Identifiers - Use SPDX license expressions
- Scanning - Analyze package manifests and lockfiles
- Scanning - Analyze package files
- Scanning - Scan for copyright
- Scanning - Scan for license
- Scanning - Analyze source code
- Scanning - Analyze containers
- Scanning - Analyze installed system packages (linux distros)
- Scanning - Analyze installed application packages
- Scanning - Other analysis
- Packages - Inventory packages
- Packages - Inventory packages dependencies
- Packages - Resolve dependencies
- Packages - Navigate or display dependency graph
- Compliance - Generate CycloneDX SBOMs
- Compliance - Generate SPDX SBOMs
- Compliance - Validate CycloneDX SBOM
- Compliance - Validate SPDX SBOMs
- Compliance - Generate CycloneDX VEX
- Compliance - Generate CSAF VEX
- Compliance - Generate OpenVex
- Compliance - Generate other compliance documents
- Policies - Define and check license policies
- Policies - Define and check security policies
- Policies - Define and check other policies
- Data - Database of Package metadata
- Data - Database of Package dependency relationships
- Data - Database of License obligations
- Data - Database of Licenses
- Data - Database of Vulnerabilities
- License - Help triage license issues
- License - Generate license credit and attribution notices
- License - Generate source code redistribution lists
- Vulnerabilities - Detect vulnerable code in packages
- Vulnerabilities - Find known vulnerabilities for package
- Vulnerabilities - Determine reachable vulnerabilities
- Vulnerabilities - Help triage vulnerabilities
- Binaries - Analyze binaries
- Binaries - Analyze ELF binaries
- Binaries - Analyze Windows binaries
- Binaries - Analyze firmware binaries
- Binaries - Analyze Other binaries
- Matching - Match source code
- Matching - Match binary code
- Tracing - Trace code execution
- Tracing - Trace build
- Code Security - Analyze code statically (SAST/linting)
- Code Security - Analyze code dynamically (DAST)
- Download - Source package
- Download - Source repositories
- Download - Binary package
- Deployment - Deployable as containers (Docker/OCI/k8s/etc)
- Deployment - Deployable in CI/CD pipelines
- Deployment - Deployable as a library
- Run - Run as a command line tool
- Run - Run as a web application
- Run - Run as an API service
other_capabilities
AMPEL supports remote policy referencing; policies can be signed, expired, and templated. It has other advanced features, such as policy and policy group composition to model complex frameworks, and it can map policies to framework requirements (CRA, wink wink).
It can be extended in many ways: alternative runtimes, transformers, and new runtime functions. AMPEL has a pluggable evidence collector that can read from a growing list of sources, including repositories, registries, HTTP servers, and more.
The project offers ready to use GitHub actions and an open source community policy repository that already hosts policies to verify popular security formats.