Supported Technologies

Build Tools

Macaron is able to detect the build and deployment scripts for the following build tools and package managers while analyzing the CI configurations, such as GitHub Actions workflows.

• Maven

• Gradle

• Pip

• Poetry

• npm

• Yarn

• Go

• Docker

Git Services

Currently, we support the following Git services for version control. If you need support for any other Git services, feel free to open a GitHub issue.

• GitHub

• GitLab

CI Services

Currently, we support the following Continuous Integration (CI) services for automatically building and deploying artifacts. If you need support for any other CI services, feel free to open a GitHub issue.

CI Service	Support
GitHub Actions	Detecting deployment steps by building a call graph for workflows and reachable shell scripts Support for various GitHub APIs, such as Releases
GitLab	Partial support for detecting deployment steps
Jenkins	Partial support for detecting deployment steps
Travis CI	Partial support for detecting deployment steps
CircleCI	Partial support for detecting deployment steps

Package Registries

Package Registry	Support	Documentation
JFrog Artifactory	Projects built with Gradle and published to a JFrog Artifactory repo following Maven layout	page
Maven Central Artifactory	Projects built with Gradle or Maven and published on the Maven Central Artifactory.	page
npm Registry	Projects built with npm or Yarn and published on the npm registry.	page
Python Package Index (PyPI)	Projects built with Pip or Poetry and published on the PyPI registry.	page

Provenances

Provenance	Support	Documentation
SLSA	SLSA provenance version 0.2. The provenance should be published in one of the following ways: - as a GitHub release asset. - on the npm registry.	page
Witness	Witness provenance version 0.1 Projects built with Gradle on GitLab CI The provenance should be published on JFrog Artifactory	page

See also

• JFrog Artifactory
• Witness
• Maven Central
• npm Registry
• Python Package Index (PyPI)