SLSA End-to-End With AMPEL & Friends This guest post walks through a practical, end-to-end SLSA implementation using 🔴🟡🟢 AMPEL — the Amazing Multipurpose Policy Engine (and L) — along with other tools in the supply chain security ecosyst...

Read all about here :)
slsa.dev/blog/2025/10...

Then, we verify the #SBOM, a vulnerability scan, and apply signed #VEX documents to suppress any non-exploitable CVEs.

To round it all up, AMPEL issues a VSA for end-user consumption that ships with each artifact, showing how to verify the released binaries.

This time, the demo is a full SLSA end-to-end example. The post demonstrates how to leverage AMPEL to verify SLSA Build Track #attestations for the security level of a commit, check the provenance attestation of a builder image, and generate a VSA with the results, protecting the build process.

We've published a new 🔴🟡🟢 AMPEL case study on the SLSA Blog!

We would love to hear your thoughts and feedback, but only after celebrating with a couple of beers, cheers! 🍻

Shout out to @odd.computer for all their work securing open source and helping us operationalize OSS Rebuild with AMPEL 🤗

GitHub - carabiner-dev/demo-npm-compromise: A sample npm app to verify compromised packages with Google's OSS Rebuild project A sample npm app to verify compromised packages with Google's OSS Rebuild project - carabiner-dev/demo-npm-compromise

AMPEL is Carbiner's flagship project, and to mark the release cut, we've published a PolicySet example and full demo/tutorial to protect projects from the recent npm credentials compromise with the help of Google's OSS Rebuild project. Check it out here:

github.com/carabiner-de...

GitHub - carabiner-dev/ampel: 🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L) 🔴🟡🟢 The Amazing Multipurpose Policy Engine (and L) - carabiner-dev/ampel

We are proud to announce the second beta of 🔴🟡🟢 AMPEL, our software supply chain security policy engine! 🥳

This release includes the final feature patches that were pending before the final release, plus a ton of improvements and bug fixes gathered during the beta.1 test

github.com/carabiner-de...

GitHub - carabiner-dev/signer: Easy digital signing library with support for sigstore and key pairs. Easy digital signing library with support for sigstore and key pairs. - carabiner-dev/signer

v0.2.0 of our signer library is out! This release ships with full support for DSSE signing and verification.

github.com/carabiner-de...

We've released v0.3.0 of bnd, our in-toto attestations multitool 🎉

This release integrates 🔴🟡🟢 AMPEL's collectors, effectively turning bnd into a CLI to read and write attestations from the supported repositories.

Get it now: github.com/carabiner-de...