Macaron GitHub Action
Overview
This document describes the composite GitHub Action defined in action.yaml at the repository root. The action uses the Macaron CLI to run supply-chain security analysis and policy verification from a GitHub Actions workflow.
Quick usage
When using this action you can reference the action in your workflow. Example:
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Run Macaron Security Analysis Action
uses: oracle/macaron@v0.22.0
with:
repo_path: 'https://github.com/example/project'
policy_file: check-github-actions
policy_purl: 'pkg:github.com/example/project'
output_dir: 'macaron-output'
upload_attestation: true
Example: policy verification only
To run only the policy verification step (when you already have an output
database), call the action with policy_file and set output_dir to the
directory containing macaron.db:
- name: Verify policy
uses: oracle/macaron@v0.22.0
with:
policy_file: policy.dl
output_dir: macaron-output
upload_attestation: true
Inputs
The action exposes a number of inputs which map directly to Macaron CLI
options. Key inputs are listed below (see action.yaml for the full list):
Input |
Description |
Default |
|---|---|---|
|
The path or URL of the repository to analyze. |
|
|
A PURL identifying a package to analyze instead of a repository. |
|
|
Path to an SBOM file to analyze. |
|
|
Path to an existing Python virtualenv (used when analyzing Python packages). |
|
|
Path to a Macaron defaults configuration file. |
|
|
Path to a Datalog policy file for policy verification. |
|
|
PURL for a pre-defined policy to use with verification. |
|
|
Checkout options when analyzing a repository (branch name or commit digest). |
|
|
The path to provenance expectation file or directory. |
|
|
The path to the provenance file in in-toto format. |
|
|
Dependency resolution depth (how many levels of transitive dependencies to resolve). |
|
|
Shows the Datalog prelude for the database. |
|
|
Token used by Macaron to access GitHub (for cloning, API access, etc.). |
|
|
Directory where Macaron writes results (database, reports, artifacts). |
|
|
When |
|
|
Path to the artifact serving as the subject of the attestation. |
|
Outputs
The composite action exposes the following outputs (set by the
run_macaron_policy_verification.sh script when applicable):
Output |
Description |
|---|---|
|
Path to the generated policy report JSON file produced by
|
|
Path to the generated VSA (Verification Summary Attestation) in
in-toto JSONL format. If no VSA was produced
during verification, the action emits the string |
Default Policies
Macaron provides policy templates to run pre-defined policies:
Policy name |
Description |
Template |
|---|---|---|
|
Detects whether a component was built using GitHub Actions that are known to be vulnerable or otherwise unsafe. The policy evaluates a check named mcn_githubactions_vulnerabilities_1 and reports a passed/failed result for the component when applied. |
|
|
Checks a component for indicators of malicious or suspicious content. The policy evaluates a check named mcn_detect_malicious_metadata_1 and reports a passed/failed result for the component when applied. |
|
|
Checks the component and its transitive dependencies for indicators of malicious or suspicious content. The policy ensures the component and each dependency pass the mcn_detect_malicious_metadata_1 check. |
How the action works
Setup Macaron: downloadsrun_macaron.shscript to install and run macaron in the action.Run Macaron Analysis: callsscripts/actions/run_macaron_analysis.shwhich assembles themacaron analyzecommand from the inputs and runs it. Results are written intooutput_dir.Run Macaron Policy Verification: if a policy file or PURL is supplied, the corresponding script runsmacaron verify-policyagainst the analysis database and writespolicy_reportandvsa_reportto$GITHUB_OUTPUTwhen produced.