Analyze
Description
Analyze a public GitHub repository (and optionally the repositories of its dependencies) to determine its SLSA posture.
Usage
usage: ./run_macaron.sh analyze
[-h] [-sbom SBOM_PATH] [-purl PURL] [-rp REPO_PATH] [-b BRANCH]
[-d DIGEST] [-pe PROVENANCE_EXPECTATION]
[--skip-deps] [--deps-depth DEPS_DEPTH] [-g TEMPLATE_PATH]
[--python-venv PYTHON_VENV]
Options
- -h, --help
Show this help message and exit
- -sbom SBOM_PATH, --sbom-path SBOM_PATH
The path to the SBOM of the analysis target.
- -purl PACKAGE_URL, --package-url PACKAGE_URL
The PURL string used to uniquely identify the target software component for analysis. Note: this PURL string can be consequently used in the policies passed to the policy engine for the same target.
- -rp REPO_PATH, --repo-path REPO_PATH
The path to the repository, can be local or remote
- -b BRANCH, --branch BRANCH
The branch of the repository that we want to checkout. If not set, Macaron will use the default branch
- -d DIGEST, --digest DIGEST
The digest of the commit we want to checkout in the branch. If not set, Macaron will use the latest commit
- -pe PROVENANCE_EXPECTATION, --provenance-expectation PROVENANCE_EXPECTATION
The path to provenance expectation file or directory.
- -pf PROVENANCE_FILE, --provenance-file PROVENANCE_FILE
The path to the provenance file in in-toto format.
- --skip-deps
DEPRECATED. Dependency resolution is off by default. This flag does nothing and will be removed in the next release.
- --deps-depth DEPS_DEPTH
The depth of the dependency resolution. 0: disable, 1: direct dependencies, inf: all transitive dependencies. (Default: 0)
- -g TEMPLATE_PATH, --template-path TEMPLATE_PATH
The path to the Jinja2 html template (please make sure to use .html or .j2 extensions).
- --python-venv PYTHON_VENV
The path to the Python virtual environment of the target software component.
Environment
GITHUB_TOKEN – The GitHub personal access token is needed for to run the analysis. For more information on how to obtain a GitHub token, see instructions in Prepare GitHub access token.