Analyze

Description

Analyze a public GitHub repository (and optionally the repositories of its dependencies) to determine its SLSA posture.

Usage

usage: ./run_macaron.sh analyze
    [-h] [-sbom SBOM_PATH] [-rp REPO_PATH] [-purl PACKAGE_URL]
    [-b BRANCH] [-d DIGEST] [-pe PROVENANCE_EXPECTATION] [-pf PROVENANCE_FILE]
    [--deps-depth DEPS_DEPTH] [-g TEMPLATE_PATH] [--python-venv PYTHON_VENV]
    [--local-maven-repo LOCAL_MAVEN_REPO] [--force-analyze-source]

Options

-h, --help

Show this help message and exit.

-sbom SBOM_PATH, --sbom-path SBOM_PATH

The path to the Software Bill of Materials (SBOM) of the analysis target. If this option is set, dependency resolution must be enabled by using the –deps-depth option.

-rp REPO_PATH, --repo-path REPO_PATH

The path to the repository, which can be either local or remote.

-purl PACKAGE_URL, --package-url PACKAGE_URL

The Package URL (PURL) string used to uniquely identify the target software component for analysis. This PURL string can also be used in the policies passed to the policy engine for the same target.

-b BRANCH, --branch BRANCH

The branch of the repository that you want to check out. If not set, Macaron will use the default branch.

-d DIGEST, --digest DIGEST

The digest of the commit you want to check out in the branch. If not set, Macaron will use the latest commit.

-pe PROVENANCE_EXPECTATION, --provenance-expectation PROVENANCE_EXPECTATION

The path to the provenance expectation file or directory.

-pf PROVENANCE_FILE, --provenance-file PROVENANCE_FILE

The path to the provenance file in in-toto format.

--deps-depth DEPS_DEPTH

The depth of the dependency resolution. Possible values are:

  • 0: Disable dependency resolution.

  • 1: Resolve direct dependencies only.

  • inf: Resolve all transitive dependencies (default: 0).

Note: If –sbom-path or –python-venv is set, this option must be specified.

-g TEMPLATE_PATH, --template-path TEMPLATE_PATH

The path to the Jinja2 HTML template file. Please ensure that the file has either .html or .j2 extensions.

--python-venv PYTHON_VENV

The path to the Python virtual environment of the target software component. If this option is set, dependency resolution must be enabled with –deps-depth.

--local-maven-repo LOCAL_MAVEN_REPO

The path to the local .m2 Maven repository. If this option is not used, Macaron will use the default location at $HOME/.m2.

--verify-provenance

Allow the analysis to attempt to verify provenance files as part of its normal operations.

--force-analyze-source

Forces PyPI source code analysis to run, regardless of other heuristic results.

Environment

GITHUB_TOKEN – The GitHub personal access token is needed for to run the analysis. For more information on how to obtain a GitHub token, see instructions in Prepare GitHub access token.