Thanks to visit codestin.com
Credit goes to github.com

Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 213 additions & 0 deletions .github/workflows/test_macaron_action.yaml
Comment thread
behnazh-w marked this conversation as resolved.
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

name: Test Macaron Action (tutorials)

on:
push:
paths:
- action.yaml
pull_request:
paths:
- action.yaml
workflow_dispatch:

permissions:
id-token: write
attestations: write

jobs:
tutorial-commit-finder:
name: Analyzing and comparing different versions of an artifact
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Run Macaron (analyze [email protected])
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/commit_finder

- name: Run Macaron (analyze [email protected])
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/commit_finder

- name: Run Macaron (verify policy - has-hosted-build)
uses: ./
with:
policy_file: ./tests/tutorial_resources/commit_finder/has-hosted-build.dl
output_dir: macaron_output/commit_finder

tutorial-detect-malicious-package:
name: Detecting malicious packages
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run Macaron (analyze [email protected] without dependencies)
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/detect_malicious_package

- name: Run Macaron (verify policy - check-django)
uses: ./
with:
policy_file: ./tests/tutorial_resources/detect_malicious_package/check-django.dl
output_dir: macaron_output/detect_malicious_package

- name: Setup Python for analyzed venv
uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: 3.11.13

- name: Create and populate analyzed venv
run: |
python -m venv /tmp/.django_venv
source /tmp/.django_venv/bin/activate
pip install --upgrade pip
pip install django==5.0.6
shell: bash

- name: Clean previous macaron output
run: |
rm -rf macaron_output/detect_malicious_package
shell: bash

- name: Run Macaron (analyze [email protected] with direct dependencies)
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/detect_malicious_package
deps_depth: '1'
python_venv: /tmp/.django_venv

- name: Run Macaron (verify policy - check-dependencies)
uses: ./
with:
policy_file: ./tests/tutorial_resources/detect_malicious_package/check-dependencies.dl
output_dir: macaron_output/detect_malicious_package

tutorial-detect-vulnerable-actions:
name: How to detect vulnerable GitHub Actions
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Run Macaron (analyze repo - apache/logging-log4j2)
uses: ./
with:
repo_path: https://github.com/apache/logging-log4j2
output_dir: macaron_output/detect_vulnerable_github_actions

- name: Run Macaron (verify policy - github_actions_vulns for repo)
uses: ./
with:
policy_file: ./tests/tutorial_resources/detect_vulnerable_github_actions/check_github_actions_vuln_repo.dl
output_dir: macaron_output/detect_vulnerable_github_actions

- name: Run Macaron (analyze purl - log4j-core example)
uses: ./
with:
package_url: pkg:maven/org.apache.logging.log4j/[email protected]
output_dir: macaron_output/detect_vulnerable_github_actions

- name: Run Macaron (verify policy - github_actions_vulns for purl)
uses: ./
with:
policy_file: ./tests/tutorial_resources/detect_vulnerable_github_actions/check_github_actions_vuln_purl.dl
output_dir: macaron_output/detect_vulnerable_github_actions

tutorial-provenance:
name: Provenance discovery, extraction, and verification
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run Macaron (analyze semver 7.7.2)
uses: ./
with:
package_url: pkg:npm/[email protected]
output_dir: macaron_output/provenance

- name: Run Macaron (verify provenance - semver)
uses: ./
with:
policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_semver.dl
output_dir: macaron_output/provenance

- name: Run Macaron (analyze toga 0.5.1 - PyPI provenance)
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/provenance

- name: Run Macaron (verify provenance - toga PyPI)
uses: ./
with:
policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_toga.dl
output_dir: macaron_output/provenance

- name: Run Macaron (analyze toga 0.4.8 - GitHub attestation)
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/provenance

- name: Run Macaron (verify provenance - toga GitHub)
uses: ./
with:
policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_toga.dl
output_dir: macaron_output/provenance

- name: Run Macaron (analyze urllib3 2.0.0a1 - GitHub attestation)
uses: ./
with:
package_url: pkg:pypi/[email protected]
output_dir: macaron_output/provenance

- name: Run Macaron (verify provenance - urllib3)
uses: ./
with:
policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_urllib3.dl
output_dir: macaron_output/provenance

tutorial-detect-malicious-java-dep:
name: Detecting Java dependencies manually uploaded to Maven Central
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run Macaron (analyze example-maven-app with SBOM)
uses: ./
with:
package_url: pkg:maven/io.github.behnazh-w.demo/[email protected]?type=jar
repo_path: https://github.com/behnazh-w/example-maven-app
output_dir: macaron_output/detect_malicious_java_dep
sbom_path: ./resources/detect_malicious_java_dep/example-sbom.json
deps_depth: '1'

- name: Run Macaron (verify policy - detect-malicious-upload)
uses: ./
with:
policy_file: ./tests/tutorial_resources/detect_malicious_java_dep/example-maven-app.dl
output_dir: macaron_output/detect_malicious_java_dep

tutorial-exclude-include-checks:
name: Exclude and include checks in Macaron
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- name: Run Macaron (analyze micronaut-core with default checks)
uses: ./
with:
package_url: pkg:maven/io.micronaut/[email protected]
output_dir: macaron_output/exclude_include_checks/normal

- name: Run Macaron (analyze micronaut-core excluding witness check via defaults.ini)
uses: ./
with:
package_url: pkg:maven/io.micronaut/[email protected]
defaults_path: ./tests/tutorial_resources/exclude_include_checks/defaults_exclude_witness.ini
output_dir: macaron_output/exclude_include_checks/excluded
124 changes: 124 additions & 0 deletions action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

name: Macaron Security Analysis
description: Run Macaron to analyze supply chain security
author: Oracle - github.com/oracle/macaron
# This composite GitHub Action wraps the Macaron tool. It exposes inputs for analysis options to shell scripts under `scripts/actions/` for readability.

inputs:
sbom_path:
description: The path to the SBOM of the analysis target.
python_venv:
description: Path to a Python virtual environment to resolve Python dependencies (used with Python analyze).
package_url:
description: The PURL string used to uniquely identify the target software component for analysis.
repo_path:
description: The path to the repository, can be local or remote.
policy_file:
description: Path to the Datalog policy.
policy_purl:
description: The PURL string for the pre-defined policy.
defaults_path:
description: The path to the defaults configuration file.
digest:
description: The digest of the commit we want to checkout in the branch.
provenance_expectation:
description: The path to provenance expectation file or directory.
provenance_file:
description: The path to the provenance file in in-toto format.
show_prelude:
description: Shows the Datalog prelude for the database.
branch:
description: The branch of the repository that we want to checkout.
deps_depth:
description: 'The depth of the dependency resolution. 0: disable, 1: direct dependencies, inf: all transitive dependencies.'
default: '0'
github_token:
description: The GitHub personal access token is needed for to run the analysis.
default: ${{ github.token }}
output_dir:
description: The output destination path for Macaron.
default: output
upload_attestation:
description: 'Upload the generated VSA report. default : false'
default: false
subject_path:
description: 'Path to the artifact serving as the subject of the attestation, the default is current repository. default : github.workspace'
default: ${{ github.workspace }}

outputs:
policy_report:
description: Paths to the Macaron analysis report
value: ${{ steps.run-macaron-policy-verification.outputs.policy_report }}
vsa_report:
description: Verification Summary Attestation
value: ${{ steps.run-macaron-policy-verification.outputs.vsa_report }}

runs:
using: composite
steps:
- name: Setup Python
uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
with:
python-version: 3.11.13

- name: Setup Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
with:
go-version: '1.23'
cache: false

- name: Setup JDK
uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
with:
java-version: '17'
distribution: oracle

- name: Setup Macaron
# Create or reuse a Python virtualenv with the macaron CLI and export the `MACARON` binary path via `$GITHUB_ENV` so later steps can use it.
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/setup_macaron.sh"
shell: bash

- name: Run Macaron Analysis
id: run-macaron-analysis
if: ${{ inputs.repo_path != '' || inputs.package_url != '' }}
# Build and execute the `macaron analyze` command. We pass action inputs into the script via `env` so the script can assemble the CLI command.
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_analysis.sh"
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
DEFAULTS_PATH: ${{ inputs.defaults_path }}
OUTPUT_DIR: ${{ inputs.output_dir }}
REPO_PATH: ${{ inputs.repo_path }}
PACKAGE_URL: ${{ inputs.package_url }}
BRANCH: ${{ inputs.branch }}
DIGEST: ${{ inputs.digest }}
DEPS_DEPTH: ${{ inputs.deps_depth }}
SBOM_PATH: ${{ inputs.sbom_path }}
PYTHON_VENV: ${{ inputs.python_venv }}
PROVENANCE_FILE: ${{ inputs.provenance_file }}
PROVENANCE_EXPECTATION: ${{ inputs.provenance_expectation }}

- name: Run Macaron Policy Verification
id: run-macaron-policy-verification
if: ${{ inputs.policy_file != '' }}
# Run policy verification using a Datalog policy file or a pre-defined policy and a PURL. The script writes `policy_report` and `vsa_report` to `$GITHUB_OUTPUT` if policy verification is successful.
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_policy_verification.sh"
shell: bash
env:
DEFAULTS_PATH: ${{ inputs.defaults_path }}
OUTPUT_DIR: ${{ inputs.output_dir }}
POLICY_FILE: ${{ inputs.policy_file }}
POLICY_PURL: ${{ inputs.policy_purl }}

- name: Upload Attestation
if: ${{ inputs.upload_attestation == 'true' && steps.run-macaron-policy-verification.outputs.vsa_report != 'VSA Not Generated.' }}
uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 #3.0.0
with:
subject-path: ${{ inputs.subject_path }}
predicate-type: https://slsa.dev/verification_summary/v1
predicate-path: ${{ steps.run-macaron-policy-verification.outputs.vsa_report }}
4 changes: 0 additions & 4 deletions docs/source/pages/cli_usage/command_analyze.rst
Original file line number Diff line number Diff line change
Expand Up @@ -87,10 +87,6 @@ Options

The path to the local `.m2` Maven repository. If this option is not used, Macaron will use the default location at `$HOME/.m2`.

.. option:: --verify-provenance

Allow the analysis to attempt to verify provenance files as part of its normal operations.

.. option:: --force-analyze-source

Forces PyPI source code analysis to run, regardless of other heuristic results.
Expand Down
Loading
Loading