This repository contains a reusable collection of reusable polcies to use with the 🔴🟡🟢 AMPEL Policy Engine.
The policies contained here are free to use and we always welcome patches and contributions!
The repository contains policies for the following supply chain technologies and formats:
- OpenEoX: Policies to work with end of life/end of support data
- OpenVEX: Policies for OpenVEX exploitability data
- SBOM: Software Bill of Materials
- Scorecard: OpenSSF Scorecard
- Security Insights: Security Insights Specification
- SLSA: Supply Chain Levels for Software Artifacts
- SLSA Source: SLSA Source Attestations
- Snappy: The Carabiner API snaphotter
- test-results: In-toto test results predicate
- VSA: Verification Summary Attestation
Additionally we are also in the process of creating a community driven collection of policy sets, modeling popular frameworks and best practices. Here are some early examples:
- OSPS Baseline: OpenSSF's Open Source Project Security Baseline
- NTIA Minimum Elements: NTIA's Minimum Elements for Software Bill of Materials
This is a community project and as such, we are happy to get contributions, issues, new policies, and PolicySets! Feel free to open issues or pull requests to this repo to makes things better for everyone!