-
Notifications
You must be signed in to change notification settings - Fork 33
Expand file tree
/
Copy pathaction.yaml
More file actions
220 lines (206 loc) · 8.91 KB
/
action.yaml
File metadata and controls
220 lines (206 loc) · 8.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
# Copyright (c) 2025 - 2026, Oracle and/or its affiliates. All rights reserved.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
name: Macaron Security Analysis Action
description: Run Macaron to analyze artifacts for supply chain security
author: Oracle - github.com/oracle/macaron
branding:
icon: shield
color: blue
# This composite GitHub Action wraps the Macaron tool. It exposes inputs for analysis options to shell scripts under `scripts/actions/` for readability.
inputs:
sbom_path:
description: The path to the SBOM of the analysis target.
python_venv:
description: Path to a Python virtual environment to resolve Python dependencies (used with Python analyze).
package_url:
description: The PURL string used to uniquely identify the target software component for analysis.
repo_path:
description: The path to the repository, can be local or remote.
policy_file:
description: Path to the Datalog policy.
policy_purl:
description: The PURL string for the pre-defined policy.
defaults_path:
description: The path to the defaults configuration file.
digest:
description: The digest of the commit we want to checkout in the branch.
provenance_expectation:
description: The path to provenance expectation file or directory.
provenance_file:
description: The path to the provenance file in in-toto format.
show_prelude:
description: Shows the Datalog prelude for the database.
branch:
description: The branch of the repository that we want to checkout.
deps_depth:
description: 'The depth of the dependency resolution. 0: disable, 1: direct dependencies, inf: all transitive dependencies.'
default: '0'
github_token:
description: The GitHub personal access token is needed for to run the analysis.
default: ${{ github.token }}
output_dir:
description: The output destination path for Macaron.
default: output
upload_reports:
description: Upload Macaron reports as a workflow artifact.
default: 'true'
reports_artifact_name:
description: Name of the uploaded reports artifact.
default: macaron-reports
reports_retention_days:
description: Retention period in days for uploaded reports.
default: '90'
write_job_summary:
description: Write a human-friendly summary to the workflow run page.
default: 'true'
upload_attestation:
description: 'Upload the generated VSA report. default : false'
default: false
subject_path:
description: 'Path to the artifact serving as the subject of the attestation, the default is current repository. default : github.workspace'
default: ${{ github.workspace }}
outputs:
html_report_path:
description: Path to the generated HTML analysis report (if available).
value: ${{ steps.run-macaron-analysis.outputs.html_report_path }}
report_dir:
description: Directory containing HTML/JSON reports.
value: ${{ steps.collect-reports.outputs.report_dir }}
db_path:
description: Path to the generated Macaron SQLite database.
value: ${{ steps.collect-reports.outputs.db_path }}
policy_report:
description: Paths to the Macaron analysis report
value: ${{ steps.collect-reports.outputs.policy_report }}
vsa_report:
description: Verification Summary Attestation
value: ${{ steps.collect-reports.outputs.vsa_report }}
vsa_generated:
description: Whether VSA was generated.
value: ${{ steps.collect-reports.outputs.vsa_generated }}
runs:
using: composite
steps:
- name: Setup Macaron
# Create or reuse run_macaron.sh script
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/setup_macaron.sh"
shell: bash
env:
ACTION_REF: ${{ github.action_ref }}
- name: Run Macaron Analysis
id: run-macaron-analysis
if: ${{ inputs.repo_path != '' || inputs.package_url != '' }}
# Build and execute the `macaron analyze` command. We pass action inputs into the script via `env` so the script can assemble the CLI command.
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_analysis.sh"
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.github_token }}
DEFAULTS_PATH: ${{ inputs.defaults_path }}
OUTPUT_DIR: ${{ inputs.output_dir }}
REPO_PATH: ${{ inputs.repo_path }}
PACKAGE_URL: ${{ inputs.package_url }}
BRANCH: ${{ inputs.branch }}
DIGEST: ${{ inputs.digest }}
DEPS_DEPTH: ${{ inputs.deps_depth }}
SBOM_PATH: ${{ inputs.sbom_path }}
PYTHON_VENV: ${{ inputs.python_venv }}
PROVENANCE_FILE: ${{ inputs.provenance_file }}
PROVENANCE_EXPECTATION: ${{ inputs.provenance_expectation }}
- name: Run Macaron Policy Verification
id: run-macaron-policy-verification
if: ${{ inputs.policy_file != '' }}
# Run policy verification using a Datalog policy file or a pre-defined policy and a PURL. The script writes `policy_report` and `vsa_report` to `$GITHUB_OUTPUT` if policy verification is successful.
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_policy_verification.sh"
shell: bash
env:
DEFAULTS_PATH: ${{ inputs.defaults_path }}
OUTPUT_DIR: ${{ inputs.output_dir }}
POLICY_FILE: ${{ inputs.policy_file }}
POLICY_PURL: ${{ inputs.policy_purl }}
- name: Collect report paths
id: collect-reports
if: ${{ always() }}
run: |
OUTPUT_DIR="${OUTPUT_DIR:-output}"
POLICY_REPORT="${OUTPUT_DIR}/policy_report.json"
VSA_REPORT="${OUTPUT_DIR}/vsa.intoto.jsonl"
DB_PATH="${OUTPUT_DIR}/macaron.db"
REPORT_DIR="${OUTPUT_DIR}/reports"
if [ -f "${VSA_REPORT}" ]; then
VSA_VALUE="${VSA_REPORT}"
VSA_GENERATED=true
else
VSA_VALUE="VSA Not Generated."
VSA_GENERATED=false
fi
echo "report_dir=${REPORT_DIR}" >> "${GITHUB_OUTPUT}"
echo "db_path=${DB_PATH}" >> "${GITHUB_OUTPUT}"
echo "policy_report=${POLICY_REPORT}" >> "${GITHUB_OUTPUT}"
echo "vsa_report=${VSA_VALUE}" >> "${GITHUB_OUTPUT}"
echo "vsa_generated=${VSA_GENERATED}" >> "${GITHUB_OUTPUT}"
{
echo "reports_path<<EOF"
echo "${REPORT_DIR}"
echo "${DB_PATH}"
echo "${POLICY_REPORT}"
echo "${VSA_REPORT}"
echo "EOF"
} >> "${GITHUB_OUTPUT}"
shell: bash
env:
OUTPUT_DIR: ${{ inputs.output_dir }}
REPORTS_ARTIFACT_NAME: ${{ inputs.reports_artifact_name }}
- name: Upload Macaron Reports
id: upload-macaron-reports
if: ${{ always() && inputs.upload_reports == 'true' }}
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: ${{ inputs.reports_artifact_name }}
path: ${{ steps.collect-reports.outputs.reports_path }}
if-no-files-found: warn
retention-days: ${{ inputs.reports_retention_days }}
- name: Summarize Macaron Results
if: ${{ always() && inputs.write_job_summary == 'true' }}
run: |
bash "$GITHUB_ACTION_PATH/scripts/actions/write_job_summary.sh"
shell: bash
env:
OUTPUT_DIR: ${{ inputs.output_dir }}
VSA_GENERATED: ${{ steps.collect-reports.outputs.vsa_generated }}
POLICY_REPORT: ${{ steps.collect-reports.outputs.policy_report }}
POLICY_FILE: ${{ inputs.policy_file }}
HTML_REPORT_PATH: ${{ steps.run-macaron-analysis.outputs.html_report_path }}
UPLOAD_REPORTS: ${{ inputs.upload_reports }}
REPORTS_ARTIFACT_NAME: ${{ inputs.reports_artifact_name }}
REPORTS_ARTIFACT_URL: ${{ steps.upload-macaron-reports.outputs.artifact-url }}
- name: Enforce VSA generation
if: ${{ always() && inputs.policy_file != '' }}
run: |
RUN_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
SUMMARY_URL="${RUN_URL}#macaron-analysis-summary"
REMEDIATIONS_URL="${RUN_URL}#macaron-full-findings-remediation-details"
if [ "${VSA_GENERATED}" != "true" ]; then
echo "Policy verification failed. VSA was not generated at ${OUTPUT_DIR}/vsa.intoto.jsonl."
echo "Check Workflow summary and uploaded reports: ${SUMMARY_URL}"
echo "Full Findings and Remediation details: ${REMEDIATIONS_URL}"
echo "If the action failed but no findings are reported, check your configuration and make sure policy_purl is valid."
exit 1
fi
shell: bash
env:
OUTPUT_DIR: ${{ inputs.output_dir }}
VSA_GENERATED: ${{ steps.collect-reports.outputs.vsa_generated }}
POLICY_FILE: ${{ inputs.policy_file }}
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_RUN_ID: ${{ github.run_id }}
- name: Upload Attestation
if: ${{ inputs.upload_attestation == 'true' && steps.collect-reports.outputs.vsa_generated == 'true' }}
uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 #3.0.0
with:
subject-path: ${{ inputs.subject_path }}
predicate-type: https://slsa.dev/verification_summary/v1
predicate-path: ${{ steps.collect-reports.outputs.vsa_report }}