Compliance-scanning provider plugins for the complyctl CLI. Each provider implements the complyctl gRPC plugin interface (hashicorp/go-plugin) with three RPCs: Describe, Generate, and Scan.
| Provider | Binary | Description |
|---|---|---|
| openscap-provider | complyctl-provider-openscap |
XCCDF-based system compliance scanning using OpenSCAP |
| ampel-provider | complyctl-provider-ampel |
In-toto attestation-based policy verification using AMPEL and snappy |
| opa-provider | complyctl-provider-opa |
OPA/conftest-based configuration policy evaluation |
Requires Go 1.25.0 or higher.
make build # Build all provider binaries to bin/
make build-openscap-provider # Build openscap provider only
make build-ampel-provider # Build ampel provider only
make build-opa-provider # Build opa provider onlyBinaries are output to bin/.
Copy the built binary to the complyctl providers directory:
mkdir -p ~/.complytime/providers
cp bin/complyctl-provider-* ~/.complytime/providers/Providers are discovered automatically by complyctl using the complyctl-provider- naming convention.
make test # Run all unit tests
make lint # Run golangci-lintcmd/
├── openscap-provider/ # XCCDF-based system scanning
├── ampel-provider/ # In-toto attestation verification
└── opa-provider/ # OPA/conftest policy evaluation
internal/
└── complytime/testdata/ # Shared XML test fixtures
docs/ # Documentation
Each provider is self-contained under cmd/<name>-provider/ with its own subpackage hierarchy. No shared library code between providers.
- Provider Development Guide -- developing providers.
- Dev Testing Environment -- devcontainer setup for interactive testing during PR review.
Apache-2.0. See LICENSE for details.
See CONTRIBUTING.md for guidelines. All changes require a feature branch and PR with review from at least two maintainers.