Analyze

Description

Analyze a public GitHub repository (and optionally the repositories of its dependencies) to determine its SLSA posture.

Usage

usage: ./run_macaron.sh analyze
    [-h] [-sbom SBOM_PATH] [-purl PURL] [-rp REPO_PATH] [-b BRANCH]
    [-d DIGEST] [-pe PROVENANCE_EXPECTATION] [-c CONFIG_PATH]
    [--skip-deps] [-g TEMPLATE_PATH]

Options

-h, --help

Show this help message and exit

-sbom SBOM_PATH, --sbom-path SBOM_PATH

The path to the SBOM of the analysis target.

-purl PACKAGE_URL, --package-url PACKAGE_URL

The PURL string used to uniquely identify the target software component for analysis. Note: this PURL string can be consequently used in the policies passed to the policy engine for the same target.

-rp REPO_PATH, --repo-path REPO_PATH

The path to the repository, can be local or remote

-b BRANCH, --branch BRANCH

The branch of the repository that we want to checkout. If not set, Macaron will use the default branch

-d DIGEST, --digest DIGEST

The digest of the commit we want to checkout in the branch. If not set, Macaron will use the latest commit

-pe PROVENANCE_EXPECTATION, --provenance-expectation PROVENANCE_EXPECTATION

The path to provenance expectation file or directory.

-pf PROVENANCE_FILE, --provenance-file PROVENANCE_FILE

The path to the provenance file in in-toto format.

-c CONFIG_PATH, --config-path CONFIG_PATH

The path to the user configuration.

--skip-deps

Skip automatic dependency analysis.

-g TEMPLATE_PATH, --template-path TEMPLATE_PATH

The path to the Jinja2 html template (please make sure to use .html or .j2 extensions).

Environment

GITHUB_TOKEN – The GitHub personal access token is needed for to run the analysis. For more information on how to obtain a GitHub token, see instructions in Prepare GitHub access token.