Open Delivery Gear (ODG) is a production-ready compliance automation engine built for software components modelled with the Open Component Model. It helps teams continuously scan delivery artifacts, keep findings actionable, and enforce service-level expectations through automation. ODG implements a trust-but-verify solution for public and sovereign clouds.
The project is under neutral governance by the NeoNephos Foundation, as part of the Apeiro Reference Architecture.
Tip
Check out the live ODG Demo playground
ODG is an extensible security and compliance automation toolbox designed for cloud-native delivery and Kubernetes-centric environments.
Core capabilities include:
- Kubernetes-native deployment and operating model
- Asynchronous and autonomous security and compliance scans
- Extensible architecture for custom integrations and policies
- Finding tracking with configurable SLAs
- "Trust, but verify" operating model for delivery assurance
- Assisted rescoring to extract value from available runtime context information
The goal is to reduce manual governance effort while increasing confidence in software delivery quality and compliance posture across public and sovereign cloud scenarios.
Open Delivery Gear follows an automation-first workflow:
- Users subscribe to OCM component versions.
- Scans are executed automatically and asynchronously.
- Scanner capacity scales both vertically and horizontally.
- Findings are tracked against discovery dates and SLA timelines.
- Assisted rescoring can adjust due dates or classify findings as false positives.
- Processing remains traceable and transparent.
- Assessments can be transported and imported via OCM.
Open Delivery Gear is designed for both platform operators and application teams. Operators interact with ODG through the Kubernetes API to integrate it into cluster-native workflows. End users can work with findings and delivery insights either through the Delivery Dashboard UI or via HTTP APIs for automation and integration scenarios.
To get a feel for ODG before setting it up yourself, visit the Demo Playground. It provides a live instance of ODG connected to real data, so you can explore OCM components, findings, and the overall user experience without any installation required.
- Demo Playground
- Local Setup using Kind
- Standalone installation using Helm
- K8s ODG Operator
- 🚧 openMCP Provider
Related Repositories and Codebases
The codebase is distributed across multiple repositories.
- Core API
- ODG Database
- ODG Operator
- OCM Artefact Enumerator
- Assisted Rescoring
- Scan Backlog Controller
- ODG Database Backup
Open Delivery Gear is part of the OCM community.
- Join the regular OCM community call to discuss roadmap topics, integrations, and operational best practices.
- Use community discussions to share feedback, report gaps, and collaborate on new automation scenarios.
Code contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the Contributing Guide in the Community repository for more information on how to contribute to ODG.
To make ODG a welcoming and harassment-free experience for everyone, we follow the NeoNephos Code of Conduct.
Please refer to the LICENSE for copyright and license information. Detailed information, including third-party components and their licensing/copyright information is available via the REUSE tool.
