macaron

pre-commit conventional-commits black mypy pylint pytest hypothesis OpenSSF Scorecard

Macaron

Macaron

Full Documentation Tutorials Videos Papers Presentations

Macaron is a software supply chain security analysis tool from Oracle Labs focused on verifying the build integrity of artifacts and their dependencies. It helps developers, security teams, and researchers ensure that packages are built as expected and have not been tampered with.

Key Capabilities

Macaron supports:

Based on SLSA

Macaron follows the recommendations of the SLSA (Supply chain Levels for Software Artifacts) framework. It offers a flexible, extensible policy engine for checking compliance with SLSA levels. Users can define and compose custom rules tailored to their CI/CD practices and security needs.

Supported Build Tools

Macaron currently supports the following build tools:

Adoption

Macaron is integrated into the Graal Development Kit (GDK), where it is used to generate Verification Summary Attestations for each artifact. This helps GDK users validate and trust the integrity of their dependencies (tutorial, blog post).

Learn More

For a complete list of supported technologies, CI providers, and provenance formats, see the documentation.

Macaron is actively evolving, with ongoing work to support more ecosystems and enhance supply chain security capabilities.

Table of Contents

Getting started

Contributing

This project welcomes contributions from the community. Before submitting a pull request, please review our contribution guide.

Defining new checks

After cloning a repository, Macaron parses the CI configuration files and bash scripts that are triggered by the CI, creates call graphs and other intermediate representations as abstractions. Using such abstractions, Macaron implements concrete checks to gather facts and metadata based on a security specification.

To learn how to define your own checks, see the steps in the checks documentation.

Presentations

Publications

Security

Please consult the security guide for our responsible security vulnerability disclosure process.

License

Copyright (c) 2022, 2024 Oracle and/or its affiliates. Macaron is licensed under the Universal Permissive License (UPL), Version 1.0.