We are also looking at using Autopkg, but there are some security concerns to take into account. For example, there isn't currently a way to tell if a recipe author is doing anything bad with their recipe, other than auditing the recipe manually and understanding what the recipe does. The recommended way to handle this is to set up up a workflow where each recipe you use has a corresponding override with trust settings. If the recipe changes, it will throw an error so you can audit the parent recipe again and update the trust settings. You can find more about that workflow here:
https://github.com/autopkg/autopkg/wiki/Autopkg-and-recipe-parent-trust-info
Note that these options are a feature of Autopkg 1.0, which is currently in prerelease (the current release is 0.6).
