macaron
macaron copied to clipboard
oracle
Macaron is an extensible supply-chain security analysis framework from Oracle Labs that supports a wide range of build systems and CI/CD services. It can be used to prevent supply chain attacks or che...
Adds a validation step to analysis that ensures the passed repo and commit match those found in the passed provenance, if all of those exist.
This PR improves the commit finder so that it can handle cases where numeric version parts have preceding zeroes. E.g. Version `2024.2.2` -> Tag `2024.02.02`. The trailing zero evaluation (for...
This may need further investigation before it can be addressed. One benefit to having such a check would be allowing users to see when their project is relying on dependencies...
Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.27 to 1.7.0. Release notes Sourced from github.com/rhysd/actionlint's releases. v1.7.0 From this version, actionlint starts to check action metadata file action.yml (or action.yaml). At this point, only...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.5. Release notes Sourced from actions/checkout's releases. v4.1.5 What's Changed Update NPM dependencies by @cory-miller in actions/checkout#1703 Bump github/codeql-action from 2 to 3 by @dependabot...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.1 to 2.3.3. Release notes Sourced from ossf/scorecard-action's releases. v2.3.3 [!NOTE] There is no v2.3.2 release as a step was skipped in the release process. This was...
Updates the requirements on [hypothesis](https://github.com/HypothesisWorks/hypothesis) to permit the latest version. Commits fbf5945 Bump hypothesis-python version to 6.101.0 and update changelog bfef674 Merge pull request #3984 from rascalking/issue-3978 8fa3d7c Bump hypothesis-python...
In Macaron, we use [Cuelang](https://cuelang.org/) to enforce certain requirements on the provenance content of the analysis component. For example, let's say we have a [Witness provenance](https://witness.dev/) that contain an attestation...
We need to implement a new feature to obtain the GitHub Actions workflow that has triggered a build/replease from the SLSA provenance (or build command from the Witness provenance) and...
Implement license filtering in Macaron against a configurable, pre defined set of licenses. Macaron pulls down code and metadata today from GH repositories for performing various analyses. With this feature,...
