For platform engineering teams

Fork the kit. Own the trust chain.

ClearCutt is packaged as a forkable operating kit: configure a fleet, publish signed base images, deploy a catalog site, generate app-team templates, certify downstream images, and draft bounded remediation PRs without adopting a hosted control plane.

Configure

clearcutt.fleet.yaml is the single source of truth for registry owner, matrix targets, site settings, admission defaults, scan windows, and remediation caps.

Publish

GitHub Actions builds the configured matrix, signs images, attaches SBOMs, verifies SLSA Build L3 provenance, and deploys catalog evidence to Pages.

Onboard

App teams get matching dev images, runtime bases, certification policies, release workflows, and optional compatible-base rebase workflows.

Operator Commands

git clone https://github.com/northcutted/clearcutt.git
cd clearcutt

# Check that the forkable platform kit is wired together
clearcutt platform status

# Generate an app-team starter
clearcutt app template java --output examples/payments-api

# Build catalog data from releases, registry evidence, SBOMs, and scans
clearcutt catalog build --limit 10 --scan-depth 4

Evidence Boundaries

The catalog reports signatures, SBOMs, SLSA Build L3 provenance, test results, and vulnerability scans independently. A missing evidence channel stays visible instead of being inferred from another check.

Remediation is approved automation: scheduled scans create ranked plans and draft PRs for review. The workflow does not silently merge, deploy, or rewrite production images.