Carabiner Systems's Avatar

Carabiner Systems

@carabiner.dev.bsky.social

At Carabiner Systems we're busy building the connective tissue that will bind the supply chain security ecosystem πŸ”—

9 Followers  |  2 Following  |  10 Posts  |  Joined: 13.08.2025  |  1.3841

Latest posts by carabiner.dev on Bluesky


Preview
SLSA End-to-End With AMPEL & Friends This guest post walks through a practical, end-to-end SLSA implementation using πŸ”΄πŸŸ‘πŸŸ’ AMPEL β€” the Amazing Multipurpose Policy Engine (and L) β€” along with other tools in the supply chain security ecosyst...

Read all about here :)
slsa.dev/blog/2025/10...

23.10.2025 14:54 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Then, we verify the #SBOM, a vulnerability scan, and apply signed #VEX documents to suppress any non-exploitable CVEs.

To round it all up, AMPEL issues a VSA for end-user consumption that ships with each artifact, showing how to verify the released binaries.

23.10.2025 14:54 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

This time, the demo is a full SLSA end-to-end example. The post demonstrates how to leverage AMPEL to verify SLSA Build Track #attestations for the security level of a commit, check the provenance attestation of a builder image, and generate a VSA with the results, protecting the build process.

23.10.2025 14:54 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

We've published a new πŸ”΄πŸŸ‘πŸŸ’ AMPEL case study on the SLSA Blog!

23.10.2025 14:54 β€” πŸ‘ 0    πŸ” 1    πŸ’¬ 1    πŸ“Œ 1

We would love to hear your thoughts and feedback, but only after celebrating with a couple of beers, cheers! 🍻

24.09.2025 17:22 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Shout out to @odd.computer for all their work securing open source and helping us operationalize OSS Rebuild with AMPEL πŸ€—

24.09.2025 17:22 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
GitHub - carabiner-dev/demo-npm-compromise: A sample npm app to verify compromised packages with Google's OSS Rebuild project A sample npm app to verify compromised packages with Google's OSS Rebuild project - carabiner-dev/demo-npm-compromise

AMPEL is Carbiner's flagship project, and to mark the release cut, we've published a PolicySet example and full demo/tutorial to protect projects from the recent npm credentials compromise with the help of Google's OSS Rebuild project. Check it out here:

github.com/carabiner-de...

24.09.2025 17:22 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
GitHub - carabiner-dev/ampel: πŸ”΄πŸŸ‘πŸŸ’ The Amazing Multipurpose Policy Engine (and L) πŸ”΄πŸŸ‘πŸŸ’ The Amazing Multipurpose Policy Engine (and L) - carabiner-dev/ampel

We are proud to announce the second beta of πŸ”΄πŸŸ‘πŸŸ’ AMPEL, our software supply chain security policy engine! πŸ₯³

This release includes the final feature patches that were pending before the final release, plus a ton of improvements and bug fixes gathered during the beta.1 test

github.com/carabiner-de...

24.09.2025 17:22 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 1
Preview
GitHub - carabiner-dev/signer: Easy digital signing library with support for sigstore and key pairs. Easy digital signing library with support for sigstore and key pairs. - carabiner-dev/signer

v0.2.0 of our signer library is out! This release ships with full support for DSSE signing and verification.

github.com/carabiner-de...

11.09.2025 05:59 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

We've released v0.3.0 of bnd, our in-toto attestations multitool πŸŽ‰

This release integrates πŸ”΄πŸŸ‘πŸŸ’ AMPEL's collectors, effectively turning bnd into a CLI to read and write attestations from the supported repositories.

Get it now: github.com/carabiner-de...

05.09.2025 17:02 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 1

@carabiner.dev is following 2 prominent accounts