Software Supply Chain Security for Python Packages with Macaron

I am excited to announce the release of our open-source project, Macaron version 0.12.0, marking an important milestone in our journey in software supply chain security. Our vision for Macaron is progressively becoming a reality. We provide a comprehensive solution for Python packages, from accurately identifying the source-code commit for a package with high accuracy, and verifying it when provenances are published, to analyzing the build pipeline and detecting malicious behavior in third-party dependencies. Furthermore, Macaron generates a Verification Summary Attestation that other tools can use to delegate part of their analysis to Macaron. It also supports running your declarative and flexible policy in Datalog to alert you on unexpected behavior in both third-party dependencies and your own artifacts.

Additionally, we are pleased to report that our efforts and collaborations with academics have led to the identification and removal of over 180 malware on PyPI.

For more information, check out this Blog Post: Detecting Malicious Behavior in the Software Supply Chain - Part 1

1 Like