Analyze
Description
Analyze a public GitHub repository (and optionally the repositories of its dependencies) to determine its SLSA posture.
Usage
usage: ./run_macaron.sh analyze
[-h] [-sbom SBOM_PATH] [-purl PURL] [-rp REPO_PATH] [-b BRANCH]
[-d DIGEST] [-pe PROVENANCE_EXPECTATION] [-c CONFIG_PATH]
[--skip-deps] [-g TEMPLATE_PATH]
Options
- -h, --help
Show this help message and exit
- -sbom SBOM_PATH, --sbom-path SBOM_PATH
The path to the SBOM of the analysis target.
- -purl PACKAGE_URL, --package-url PACKAGE_URL
The PURL string used to uniquely identify the target software component for analysis. Note: this PURL string can be consequently used in the policies passed to the policy engine for the same target.
- -rp REPO_PATH, --repo-path REPO_PATH
The path to the repository, can be local or remote
- -b BRANCH, --branch BRANCH
The branch of the repository that we want to checkout. If not set, Macaron will use the default branch
- -d DIGEST, --digest DIGEST
The digest of the commit we want to checkout in the branch. If not set, Macaron will use the latest commit
- -pe PROVENANCE_EXPECTATION, --provenance-expectation PROVENANCE_EXPECTATION
The path to provenance expectation file or directory.
- -pf PROVENANCE_FILE, --provenance-file PROVENANCE_FILE
The path to the provenance file in in-toto format.
- -c CONFIG_PATH, --config-path CONFIG_PATH
The path to the user configuration.
- --skip-deps
Skip automatic dependency analysis.
- -g TEMPLATE_PATH, --template-path TEMPLATE_PATH
The path to the Jinja2 html template (please make sure to use .html or .j2 extensions).
Environment
GITHUB_TOKEN
– The GitHub personal access token is needed for to run the analysis. For more information on how to obtain a GitHub token, see instructions in Prepare GitHub access token.