-
Notifications
You must be signed in to change notification settings - Fork 34
feat: add github actions for macaron #1241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
623474b
refactor: add github action to macaron.
Demolus13 f3e6bd4
refactor: improve github action usage through --existing-policy.
Demolus13 2c1eb19
refactor: add input from subject-path in attestation.
Demolus13 ca66b27
refactor: add python_venv to inputs in action.yaml and build macaron …
Demolus13 010f7c7
chore: add test workflow for github action and test resources.
Demolus13 51382d1
chore: set go setup cache to false.
Demolus13 90778ff
chore: set the correct default path for exclude checks job in publish…
Demolus13 9ce869f
chore: set Hash for setup actions.
Demolus13 43181ab
chore: correct spelling of provenance
Demolus13 2a0f8fd
chore: change to appropriate filename
Demolus13 ddd58b7
chore: create shell scripts for action.yaml
Demolus13 ff82091
chore: change directory name from tutorials to tutorial_resources
Demolus13 d557ff6
test: add new tutorial to test_macaron_action workflow
Demolus13 b2d0eb1
chore: remove verify-provenance from docs
Demolus13 6ab9456
chore: show the default options in subject_path
Demolus13 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,213 @@ | ||
| # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. | ||
|
|
||
| name: Test Macaron Action (tutorials) | ||
|
|
||
| on: | ||
| push: | ||
| paths: | ||
| - action.yaml | ||
| pull_request: | ||
| paths: | ||
| - action.yaml | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| id-token: write | ||
| attestations: write | ||
|
|
||
| jobs: | ||
| tutorial-commit-finder: | ||
| name: Analyzing and comparing different versions of an artifact | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
|
|
||
| - name: Run Macaron (analyze [email protected]) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/commit_finder | ||
|
|
||
| - name: Run Macaron (analyze [email protected]) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/commit_finder | ||
|
|
||
| - name: Run Macaron (verify policy - has-hosted-build) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/commit_finder/has-hosted-build.dl | ||
| output_dir: macaron_output/commit_finder | ||
|
|
||
| tutorial-detect-malicious-package: | ||
| name: Detecting malicious packages | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| - name: Run Macaron (analyze [email protected] without dependencies) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/detect_malicious_package | ||
|
|
||
| - name: Run Macaron (verify policy - check-django) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/detect_malicious_package/check-django.dl | ||
| output_dir: macaron_output/detect_malicious_package | ||
|
|
||
| - name: Setup Python for analyzed venv | ||
| uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 | ||
| with: | ||
| python-version: 3.11.13 | ||
|
|
||
| - name: Create and populate analyzed venv | ||
| run: | | ||
| python -m venv /tmp/.django_venv | ||
| source /tmp/.django_venv/bin/activate | ||
| pip install --upgrade pip | ||
| pip install django==5.0.6 | ||
| shell: bash | ||
|
|
||
| - name: Clean previous macaron output | ||
| run: | | ||
| rm -rf macaron_output/detect_malicious_package | ||
| shell: bash | ||
|
|
||
| - name: Run Macaron (analyze [email protected] with direct dependencies) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/detect_malicious_package | ||
| deps_depth: '1' | ||
| python_venv: /tmp/.django_venv | ||
|
|
||
| - name: Run Macaron (verify policy - check-dependencies) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/detect_malicious_package/check-dependencies.dl | ||
| output_dir: macaron_output/detect_malicious_package | ||
|
|
||
| tutorial-detect-vulnerable-actions: | ||
| name: How to detect vulnerable GitHub Actions | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
|
|
||
| - name: Run Macaron (analyze repo - apache/logging-log4j2) | ||
| uses: ./ | ||
| with: | ||
| repo_path: https://github.com/apache/logging-log4j2 | ||
| output_dir: macaron_output/detect_vulnerable_github_actions | ||
|
|
||
| - name: Run Macaron (verify policy - github_actions_vulns for repo) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/detect_vulnerable_github_actions/check_github_actions_vuln_repo.dl | ||
| output_dir: macaron_output/detect_vulnerable_github_actions | ||
|
|
||
| - name: Run Macaron (analyze purl - log4j-core example) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:maven/org.apache.logging.log4j/[email protected] | ||
| output_dir: macaron_output/detect_vulnerable_github_actions | ||
|
|
||
| - name: Run Macaron (verify policy - github_actions_vulns for purl) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/detect_vulnerable_github_actions/check_github_actions_vuln_purl.dl | ||
| output_dir: macaron_output/detect_vulnerable_github_actions | ||
|
|
||
| tutorial-provenance: | ||
| name: Provenance discovery, extraction, and verification | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| - name: Run Macaron (analyze semver 7.7.2) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:npm/[email protected] | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (verify provenance - semver) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_semver.dl | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (analyze toga 0.5.1 - PyPI provenance) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (verify provenance - toga PyPI) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_toga.dl | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (analyze toga 0.4.8 - GitHub attestation) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (verify provenance - toga GitHub) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_toga.dl | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (analyze urllib3 2.0.0a1 - GitHub attestation) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:pypi/[email protected] | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| - name: Run Macaron (verify provenance - urllib3) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_urllib3.dl | ||
| output_dir: macaron_output/provenance | ||
|
|
||
| tutorial-detect-malicious-java-dep: | ||
| name: Detecting Java dependencies manually uploaded to Maven Central | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| - name: Run Macaron (analyze example-maven-app with SBOM) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar | ||
| repo_path: https://github.com/behnazh-w/example-maven-app | ||
| output_dir: macaron_output/detect_malicious_java_dep | ||
| sbom_path: ./resources/detect_malicious_java_dep/example-sbom.json | ||
| deps_depth: '1' | ||
|
|
||
| - name: Run Macaron (verify policy - detect-malicious-upload) | ||
| uses: ./ | ||
| with: | ||
| policy_file: ./tests/tutorial_resources/detect_malicious_java_dep/example-maven-app.dl | ||
| output_dir: macaron_output/detect_malicious_java_dep | ||
|
|
||
| tutorial-exclude-include-checks: | ||
| name: Exclude and include checks in Macaron | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
|
|
||
| - name: Run Macaron (analyze micronaut-core with default checks) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:maven/io.micronaut/[email protected] | ||
| output_dir: macaron_output/exclude_include_checks/normal | ||
|
|
||
| - name: Run Macaron (analyze micronaut-core excluding witness check via defaults.ini) | ||
| uses: ./ | ||
| with: | ||
| package_url: pkg:maven/io.micronaut/[email protected] | ||
| defaults_path: ./tests/tutorial_resources/exclude_include_checks/defaults_exclude_witness.ini | ||
| output_dir: macaron_output/exclude_include_checks/excluded |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,124 @@ | ||
| # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved. | ||
| # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. | ||
|
|
||
| name: Macaron Security Analysis | ||
| description: Run Macaron to analyze supply chain security | ||
| author: Oracle - github.com/oracle/macaron | ||
| # This composite GitHub Action wraps the Macaron tool. It exposes inputs for analysis options to shell scripts under `scripts/actions/` for readability. | ||
|
|
||
| inputs: | ||
| sbom_path: | ||
| description: The path to the SBOM of the analysis target. | ||
| python_venv: | ||
| description: Path to a Python virtual environment to resolve Python dependencies (used with Python analyze). | ||
| package_url: | ||
| description: The PURL string used to uniquely identify the target software component for analysis. | ||
| repo_path: | ||
| description: The path to the repository, can be local or remote. | ||
| policy_file: | ||
| description: Path to the Datalog policy. | ||
| policy_purl: | ||
| description: The PURL string for the pre-defined policy. | ||
| defaults_path: | ||
| description: The path to the defaults configuration file. | ||
| digest: | ||
| description: The digest of the commit we want to checkout in the branch. | ||
| provenance_expectation: | ||
| description: The path to provenance expectation file or directory. | ||
| provenance_file: | ||
| description: The path to the provenance file in in-toto format. | ||
| show_prelude: | ||
| description: Shows the Datalog prelude for the database. | ||
| branch: | ||
| description: The branch of the repository that we want to checkout. | ||
| deps_depth: | ||
| description: 'The depth of the dependency resolution. 0: disable, 1: direct dependencies, inf: all transitive dependencies.' | ||
| default: '0' | ||
| github_token: | ||
| description: The GitHub personal access token is needed for to run the analysis. | ||
| default: ${{ github.token }} | ||
| output_dir: | ||
| description: The output destination path for Macaron. | ||
| default: output | ||
| upload_attestation: | ||
| description: 'Upload the generated VSA report. default : false' | ||
| default: false | ||
| subject_path: | ||
| description: 'Path to the artifact serving as the subject of the attestation, the default is current repository. default : github.workspace' | ||
| default: ${{ github.workspace }} | ||
|
|
||
| outputs: | ||
| policy_report: | ||
| description: Paths to the Macaron analysis report | ||
| value: ${{ steps.run-macaron-policy-verification.outputs.policy_report }} | ||
| vsa_report: | ||
| description: Verification Summary Attestation | ||
| value: ${{ steps.run-macaron-policy-verification.outputs.vsa_report }} | ||
|
|
||
| runs: | ||
| using: composite | ||
| steps: | ||
| - name: Setup Python | ||
| uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0 | ||
| with: | ||
| python-version: 3.11.13 | ||
|
|
||
| - name: Setup Go | ||
| uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 | ||
| with: | ||
| go-version: '1.23' | ||
| cache: false | ||
|
|
||
| - name: Setup JDK | ||
| uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0 | ||
| with: | ||
| java-version: '17' | ||
| distribution: oracle | ||
|
|
||
| - name: Setup Macaron | ||
| # Create or reuse a Python virtualenv with the macaron CLI and export the `MACARON` binary path via `$GITHUB_ENV` so later steps can use it. | ||
| run: | | ||
| bash "$GITHUB_ACTION_PATH/scripts/actions/setup_macaron.sh" | ||
| shell: bash | ||
|
|
||
| - name: Run Macaron Analysis | ||
| id: run-macaron-analysis | ||
| if: ${{ inputs.repo_path != '' || inputs.package_url != '' }} | ||
| # Build and execute the `macaron analyze` command. We pass action inputs into the script via `env` so the script can assemble the CLI command. | ||
| run: | | ||
| bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_analysis.sh" | ||
| shell: bash | ||
| env: | ||
| GITHUB_TOKEN: ${{ inputs.github_token }} | ||
| DEFAULTS_PATH: ${{ inputs.defaults_path }} | ||
| OUTPUT_DIR: ${{ inputs.output_dir }} | ||
| REPO_PATH: ${{ inputs.repo_path }} | ||
| PACKAGE_URL: ${{ inputs.package_url }} | ||
| BRANCH: ${{ inputs.branch }} | ||
| DIGEST: ${{ inputs.digest }} | ||
| DEPS_DEPTH: ${{ inputs.deps_depth }} | ||
| SBOM_PATH: ${{ inputs.sbom_path }} | ||
| PYTHON_VENV: ${{ inputs.python_venv }} | ||
| PROVENANCE_FILE: ${{ inputs.provenance_file }} | ||
| PROVENANCE_EXPECTATION: ${{ inputs.provenance_expectation }} | ||
|
|
||
| - name: Run Macaron Policy Verification | ||
| id: run-macaron-policy-verification | ||
| if: ${{ inputs.policy_file != '' }} | ||
| # Run policy verification using a Datalog policy file or a pre-defined policy and a PURL. The script writes `policy_report` and `vsa_report` to `$GITHUB_OUTPUT` if policy verification is successful. | ||
| run: | | ||
| bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_policy_verification.sh" | ||
| shell: bash | ||
| env: | ||
| DEFAULTS_PATH: ${{ inputs.defaults_path }} | ||
| OUTPUT_DIR: ${{ inputs.output_dir }} | ||
| POLICY_FILE: ${{ inputs.policy_file }} | ||
| POLICY_PURL: ${{ inputs.policy_purl }} | ||
|
|
||
| - name: Upload Attestation | ||
| if: ${{ inputs.upload_attestation == 'true' && steps.run-macaron-policy-verification.outputs.vsa_report != 'VSA Not Generated.' }} | ||
| uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 #3.0.0 | ||
| with: | ||
| subject-path: ${{ inputs.subject_path }} | ||
| predicate-type: https://slsa.dev/verification_summary/v1 | ||
| predicate-path: ${{ steps.run-macaron-policy-verification.outputs.vsa_report }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.