{"id":17502631,"url":"https://github.com/northpolesec/santa","last_synced_at":"2026-04-10T21:18:50.341Z","repository":{"id":258335393,"uuid":"865403475","full_name":"northpolesec/santa","owner":"northpolesec","description":"A binary and file access authorization system for macOS.","archived":false,"fork":false,"pushed_at":"2026-01-22T23:34:20.000Z","size":21158,"stargazers_count":509,"open_issues_count":36,"forks_count":39,"subscribers_count":9,"default_branch":"main","last_synced_at":"2026-01-23T10:59:07.493Z","etag":null,"topics":["allowlist","authorization","blocklist","endpoint-security","macos","santa","security","system-extension"],"latest_commit_sha":null,"homepage":"https://northpole.dev","language":"Objective-C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/northpolesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-30T13:29:06.000Z","updated_at":"2026-01-22T21:22:41.000Z","dependencies_parsed_at":"2024-10-26T19:14:24.803Z","dependency_job_id":"d01a7972-d7a1-4d5f-96c0-93c310ce4076","html_url":"https://github.com/northpolesec/santa","commit_stats":{"total_commits":1665,"total_committers":63,"mean_commits":"26.428571428571427","dds":0.6384384384384385,"last_synced_commit":"55d3861766b88ea81b71402b414a43198caba307"},"previous_names":["northpolesec/santa"],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/northpolesec/santa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/northpolesec%2Fsanta","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/northpolesec%2Fsanta/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/northpolesec%2Fsanta/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/northpolesec%2Fsanta/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/northpolesec","download_url":"https://codeload.github.com/northpolesec/santa/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/northpolesec%2Fsanta/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28886986,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-29T21:06:44.224Z","status":"ssl_error","status_checked_at":"2026-01-29T21:06:42.160Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["allowlist","authorization","blocklist","endpoint-security","macos","santa","security","system-extension"],"created_at":"2024-10-19T21:14:44.218Z","updated_at":"2026-01-29T22:09:24.375Z","avatar_url":"https://github.com/northpolesec.png","language":"Objective-C++","readme":"# Santa\n\n[![license](https://img.shields.io/github/license/northpolesec/santa?style=flat-square\u0026color=lightgray)](https://github.com/northpolesec/santa/blob/main/LICENSE)\n[![CI](https://img.shields.io/github/actions/workflow/status/northpolesec/santa/ci.yml?style=flat-square\u0026label=CI)](https://github.com/northpolesec/santa/actions/workflows/ci.yml)\n[![latest release](https://img.shields.io/github/v/release/northpolesec/santa.svg?style=flat-square)](https://github.com/northpolesec/santa/releases/latest)\n[![latest release date](https://img.shields.io/github/release-date/northpolesec/santa?display_date=published_at\u0026style=flat-square\u0026color=007ec6)](https://github.com/northpolesec/santa/releases/latest)\n[![downloads](https://img.shields.io/github/downloads/northpolesec/santa/latest/total?style=flat-square\u0026color=007ec6)](https://github.com/northpolesec/santa/releases/latest)\n\n\u003cp align=\"center\"\u003e\n    \u003cimg src=\"./docs/static/img/nps-logo-256.png\" height=\"128\" alt=\"Santa Icon\" /\u003e\n\u003c/p\u003e\n\nSanta is a binary and file access authorization system for macOS. It consists\nof a system extension that monitors for executions \u0026 file access, and makes\ndecisions based on the contents of a local database, a GUI agent that notifies\nthe user in case of a block decision, a background service for synchronizing\nthe configuration with a remote server, and a command-line utility for managing\nthe system.\n\nIt is named Santa because it keeps track of binaries that are naughty or nice.\n\n# Docs\n\nThe Santa docs are stored in the\n[Docs](https://github.com/northpolesec/santa/blob/main/docs) directory and are published\nat https://northpole.dev.\n\nThe docs include deployment options, details on how parts of Santa work and\ninstructions for developing Santa itself.\n\n# Get Help\n\nIf you have questions or otherwise need help getting started,\nthe [#santa channel on the macadmins slack](https://app.slack.com/client/T04QVKUQG/C0E1VRBGW) is a great place to start.\n\nIf you believe you have a bug, feel free to report [an\nissue](https://github.com/northpolesec/santa/issues) and we'll respond as soon as we\ncan.\n\nIf you believe you've found a vulnerability, please read the\n[security policy](https://github.com/northpolesec/santa/security/policy) for\ndisclosure reporting.\n\n# Features\n\n* Multiple modes: In the default MONITOR mode, all binaries except those marked\n  as blocked will be allowed to run, whilst being logged and recorded in\n  the events database. In LOCKDOWN mode, only listed binaries are allowed to\n  run.\n\n* Event logging: When the system extension is loaded, all binary launches are\n  logged. When in either mode, all unknown or denied binaries are stored in the\n  database to enable later aggregation.\n\n* Code signing-based rules, with override levels: Instead of relying on a\n  binary's hash (or 'fingerprint'), executables can be allowed/blocked by their\n  code signature (through CDHash, Certificate, TeamID or SigningID rules). You\n  can therefore allow/block all binaries signed by a publisher or all versions\n  of a signed binary. Rules are applied in most-specific order, which allows you\n  to allow all binaries by a given publisher while blocking one specific\n  signing ID or binary (or vice-versa).\n\n* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature\n  to that found in Managed Client (the precursor to configuration profiles,\n  which used the same implementation mechanism), Application Launch\n  Restrictions via the mcxalr binary. This implementation carries the added\n  benefit of being configurable via regex, and not relying on LaunchServices.\n  As detailed in the wiki, when evaluating rules this holds the lowest\n  precedence.\n\n* Failsafe cert rules: You cannot put in a deny rule that would block the\n  certificate used to sign launchd, a.k.a. pid 1, and therefore all components\n  used in macOS. The binaries in every OS update (and in some cases entire new\n  versions) are therefore automatically allowed. This does not affect binaries\n  from Apple's App Store, which use various certs that change regularly for\n  common apps. Likewise, you cannot block Santa itself.\n\n* Userland components validate each other: each of the userland components (the\n  daemon, the GUI agent and the command-line utility) communicate with each\n  other using XPC and check that their signing certificates are identical\n  before any communication is accepted.\n\n* Caching: allowed binaries are cached so the processing required to make a\n  request is only done if the binary isn't already cached.\n\n# Intentions and Expectations\n\nNo single system or process will stop *all* attacks, or provide 100% security.\nSanta is written with the intention of helping protect users from themselves.\nPeople often download malware and trust it, giving the malware credentials, or\nallowing unknown software to exfiltrate more data about your system. As a\ncentrally managed component, Santa can help stop the spread of malware among a\nlarge fleet of machines. Independently, Santa can aid in analyzing what is\nrunning on your computer.\n\nSanta is part of a defense-in-depth strategy, and you should continue to\nprotect hosts in whatever other ways you see fit.\n\n# Known Issues\n\n* Santa only blocks execution (execve and variants), it doesn't protect against\n  dynamic libraries loaded with dlopen, libraries on disk that have been\n  replaced, or libraries loaded using `DYLD_INSERT_LIBRARIES`. Other parts of\n  macOS will usually protect against these avenues, as long as SIP is enabled.\n\n* Scripts: Santa is currently written to ignore any execution that isn't a\n  binary. This is because after weighing the administration cost vs the\n  benefit, we found it wasn't worthwhile. Additionally, a number of\n  applications make use of temporary generated scripts, which we can't possibly\n  allowlist and not doing so would cause problems. We're happy to revisit this\n  (or at least make it an option) if it would be useful to others.\n\n# Sync Servers\n\n* Santa can synchronize its settings and policies with a management server,\n  allowing for very rapid configuration changes.\n\n  There are several commercial and open-source servers available:\n\n    * [Workshop](https://northpole.security) - Workshop is the official sync\n      server offered by North Pole Security. It is fully-featured, fast,\n      scalable, and enterprise-ready.\n    * [Moroz](https://github.com/groob/moroz) - A simple golang server that\n      serves hardcoded rules from simple configuration files.\n    * [Rudolph](https://github.com/airbnb/rudolph) - An AWS-based serverless sync service\n      primarily built on API GW, DynamoDB, and Lambda components to reduce operational burden.\n      Rudolph is designed to be fast, easy-to-use, and cost-efficient.\n    * [Zentral](https://github.com/zentralopensource/zentral/wiki) - A\n      centralized service that pulls data from multiple sources and deploy\n      configurations to multiple services.\n\n* Alternatively, rules can be configured locally using either the\n  [StaticRules](https://northpole.dev/configuration/keys#StaticRules) configuration\n  key or using the `santactl rule` command.\n\n# Screenshots\n\nA tool like Santa doesn't really lend itself to screenshots, so here's a video\ninstead.\n\n\n\u003cp align=\"center\"\u003e \u003cimg src=\"./docs/static/img/santa-block.gif\" alt=\"Santa Block Video\" /\u003e \u003c/p\u003e\n\n# Contributing\nPatches to this project are very much welcome. Please see the\n[CONTRIBUTING](https://northpole.dev/development/contributing) doc.\n\n# Disclaimer\n\nNorth Pole Security and North Pole Security Santa are not affiliated with\nGoogle.\n","funding_links":[],"categories":["Objective-C++"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnorthpolesec%2Fsanta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnorthpolesec%2Fsanta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnorthpolesec%2Fsanta/lists"}