Read all about here :)
slsa.dev/blog/2025/10...
@carabiner.dev.bsky.social
At Carabiner Systems we're busy building the connective tissue that will bind the supply chain security ecosystem π
Read all about here :)
slsa.dev/blog/2025/10...
Then, we verify the #SBOM, a vulnerability scan, and apply signed #VEX documents to suppress any non-exploitable CVEs.
To round it all up, AMPEL issues a VSA for end-user consumption that ships with each artifact, showing how to verify the released binaries.
This time, the demo is a full SLSA end-to-end example. The post demonstrates how to leverage AMPEL to verify SLSA Build Track #attestations for the security level of a commit, check the provenance attestation of a builder image, and generate a VSA with the results, protecting the build process.
23.10.2025 14:54 β π 0 π 0 π¬ 1 π 0We've published a new π΄π‘π’ AMPEL case study on the SLSA Blog!
23.10.2025 14:54 β π 0 π 1 π¬ 1 π 1We would love to hear your thoughts and feedback, but only after celebrating with a couple of beers, cheers! π»
24.09.2025 17:22 β π 0 π 0 π¬ 0 π 0Shout out to @odd.computer for all their work securing open source and helping us operationalize OSS Rebuild with AMPEL π€
24.09.2025 17:22 β π 1 π 0 π¬ 1 π 0AMPEL is Carbiner's flagship project, and to mark the release cut, we've published a PolicySet example and full demo/tutorial to protect projects from the recent npm credentials compromise with the help of Google's OSS Rebuild project. Check it out here:
github.com/carabiner-de...
We are proud to announce the second beta of π΄π‘π’ AMPEL, our software supply chain security policy engine! π₯³
This release includes the final feature patches that were pending before the final release, plus a ton of improvements and bug fixes gathered during the beta.1 test
github.com/carabiner-de...
v0.2.0 of our signer library is out! This release ships with full support for DSSE signing and verification.
github.com/carabiner-de...
We've released v0.3.0 of bnd, our in-toto attestations multitool π
This release integrates π΄π‘π’ AMPEL's collectors, effectively turning bnd into a CLI to read and write attestations from the supported repositories.
Get it now: github.com/carabiner-de...