Macaron is a supply chain security analysis tool which focuses on the build integrity of an artifact and the artifact dependencies

Project Details



Macaron is a supply chain security analysis tool which focuses on the build integrity of an artifact and the artifact dependencies

Project Overview

Macaron is a supply chain security analysis tool from Oracle Labs, which focuses on the build integrity of an artifact and the artifact dependencies. It is based on the Supply chain Levels for Software Artifacts (SLSA) specification, which aims at preventing some of the software supply chain attacks as the systems get more complex, especially with respect to the use of open-source third-party code in applications. Attacks include stealing credentials, injecting malicious code etc., and it is critical to have security assurance on the third-party code to guarantee that the integrity of the code has not been compromised.

Macaron uses SLSA requirements specifications v0.1 to define concrete rules for protecting software integrity that can be checked for compliance requirements automatically. Macaron provides a customizable checker platform that makes it easy to define checks that depend on each other. This is particularly useful for implementing checks for SLSA levels. In addition, Macaron also checks a user-specified policy for the repository to detect unexpected behavior in the build process. Macaron is a work-in-progress project and currently supports Maven and Gradle Java build systems only. We plan to support build systems for other languages, such as Python in future.

Learn more and get started with Macaron on GitHub.


Principal Investigator

Behnaz Hassanshahi

Principal Researcher

Behnaz Hassanshahi is a Principal Researcher at Oracle Labs Australia. In her current role, Behnaz is leading project Macaron, a supply chain security analysis tool for open source projects. She is also working on static security analysis of Oracle Cloud Infrastructure.

In her previous project, Behnaz was the technical lead of Gelato, a Dynamic Application Security Testing (DAST) tool that analyses client-side JavaScript applications to find security vulnerabilities both at the client and server side of web applications. Gelato is now used as a product in Oracle. During the past few years, Behnaz has also explored various static and dynamic analysis as well as fuzzing techniques to analyse client-side and server-side JavaScript programs.

This is her second stint at Oracle Labs. When Behnaz worked here in 2015 as an intern in the Java Vulnerability Detection team, she designed an adaptive points-to framework that scales over OpenJDK.

After graduating from Amirkabir University of Technology (Tehran) in 2010 with a Bachelor of Science (Software Engineering), Behnaz did her PhD at the National University of Singapore. While at NUS, she was also awarded the Singapore International Graduate Award, and was a member of the Security Research Group.

Her thesis topic – Characterization, Detection and Exploitation of Injection Attacks in Android – and the security research prepared her well for her work at Oracle.

Behnaz conducts research in the area of  program analysis and its intersection with computer security that will improve the security of large complex software.


* PhD in Computer Science, 2011-2016, National University of Singapore

* BSc in Software Engineering, 2006–2010, Amirkabir University of Technology

Recent and upcoming events:

USENIX Security'24 (PC member)

USENIX Security'23 (PC member) and received a Noteworthy Reviewer award

SecDev'22 (Publicity Chair)

ISSTA'22 (PC member)

iMentor, CCS'21 (Panelist)

SCAM'21 - Engineering Track (Program Chair)

ACSAC'21 (PC member)

SCAM'20 (PC member)

ACSAC'20 (PC member)