List view

• Generate a Verification Summary Attestation (VSA) for an artifact

  No due date

  •2/2 issues closed
  100% complete0 open2 closed

• Add tutorials and examples for common use cases

  No due date

  •2/7 issues closed
  28% complete5 open2 closed

• Extend support for Git and CI services

  Right now we support GitHub as a version control system and GitHub Actions as the CI and package registry (GitHub releases). We also support GitLab as the Version Control System (VCS), and have limited support for GitLab CI, Jenkins, TravisCI, CircleCI. We need to add or extend support for other Git and CI services: - GitLab CI static analysis (improve support) - GitLab CI API client (add support) - GitLab VCS (allow multiple publicly-hosted services) - BitBucket (add support)

  No due date

  •2/3 issues closed
  66% complete1 open2 closed

• Add support for container-based builders

  We need to add support for container-based builders, the dependencies they introduce, and the corresponding provenances that rare published in the registries.

  No due date

  •1/2 issues closed
  50% complete1 open1 closed

• Extend the source repository finder

  When an artifact is provided to Macaron to analyze, if there is no provenance to uniquely map it to the repository from which the artifact is generated from, Macaron tries to find it in a best-effort fashion. There are multiple aspects to this milestone, such as support for various languages. Currently, Macaron only supports Java packages. Another aspect is to detect the exact commit that corresponds to the artifact.

  No due date

  •10/11 issues closed
  90% complete1 open10 closed

• Add template policies and make the policy engine interface more user friendly

  The CLI front end for the policy engine needs to improve and be easier to use. Additionally, we need to provide template policies based on popular use cases, and document existing relations for advanced users, and add several tutorials.

  No due date

  •0/2 issues closed
  0% complete2 open0 closed

• Allow running checks to be configurable

  We need to allow a list of checks to be included or excluded via a configuration. We also need to allow loading external checks that are not available in this repository, which could be loaded from the file system or a different repository.

  No due date

  •2/3 issues closed
  66% complete1 open2 closed

• Support artifact and provenance files as input

  No due date

  •3/5 issues closed
  60% complete2 open3 closed

• Add support for npm packages

  Macaron should support the npm package manager as a build tool and the provenances generated by npm on GitHub Actions: https://github.blog/2023-04-19-introducing-npm-package-provenance/

  No due date

  •5/7 issues closed
  71% complete2 open5 closed

• Release Macaron as a Python package

  No due date

  •0/2 issues closed
  0% complete2 open0 closed

• Code quality and documentation enhancements

  No due date

  •22/31 issues closed
  70% complete9 open22 closed

• Change the data model to allow analysis at artifact level

  No due date

  •11/19 issues closed
  57% complete8 open11 closed

• Support for SLSA v1.0

  This milestone tracks support for [SLSA v1.0](https://github.com/slsa-framework/slsa/issues/574).

  No due date

  •3/4 issues closed
  75% complete1 open3 closed