explaingit

google/santa

4,515Objective-C++Audience · ops devopsComplexity · 4/5LicenseSetup · hard

TLDR

Santa is a macOS security tool that controls which programs can run on a computer by intercepting every execution attempt and checking it against allow or block rules, useful for IT teams locking down managed machines.

Mindmap

mindmap
  root((Santa))
    Execution Control
      Monitor mode
      Lockdown mode
      Block notifications
    Rule Types
      Hash based rules
      Certificate based rules
      Path regex rules
    Sync System
      Central server push
      Rule distribution
      Execution logging
    Limitations
      No script rules
      No dynamic libraries
      Archived project
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Lock down company Macs so only approved software can run, blocking malware or unauthorized apps automatically.

USE CASE 2

Audit what programs are running across a fleet of machines before rolling out stricter security policies.

USE CASE 3

Centrally manage allow and block rules across many computers from a single sync server.

USE CASE 4

Allow all software from a trusted developer certificate without needing a rule for every version they release.

Tech stack

Objective-C++macOSkernel extensioncertificate signing

Getting it running

Difficulty · hard Time to first run · 1day+

Requires macOS system-level permissions and a kernel extension. Organizations need a sync server for fleet management. Note: Google archived this project in 2025, consider northpolesec/santa for active support.

Open source license, free to use and modify. The project is archived, active development continues at the northpolesec/santa fork.

In plain English

Santa is a security tool for macOS that controls which programs are allowed to run on a computer. It sits at the operating system level and intercepts every attempt to execute a file, then checks that file against a set of rules before deciding whether to allow or block it. A notification is shown to the user if something is blocked. The tool has two operating modes. In the default monitor mode, almost everything is allowed to run, but all executions are logged. This is useful for learning what software runs on a machine before applying stricter controls. In lockdown mode, only explicitly approved software is allowed to run and everything else is blocked by default. Rules can be written in several ways. The most specific is a hash-based rule that matches one exact version of a file. A broader option is a certificate-based rule, which allows or blocks any program signed by a particular developer certificate. This means a rule covers all versions of a piece of software as long as it is still signed by the same company. There are also path-based rules using regular expressions, which have the lowest priority when multiple rules apply. For organizations managing many machines, Santa includes a sync mechanism that lets a central server push rule updates to all managed computers and collect logs of what has run. Several open-source sync server options exist for this purpose. Santa is designed as one layer in a broader security approach, not a complete solution on its own. It does not protect against dynamically loaded code libraries, and it does not apply rules to scripts, only to compiled binaries. As of 2025, Google is no longer maintaining this project. The README points users toward an actively maintained fork at northpolesec/santa.

Copy-paste prompts

Prompt 1
I'm using google/santa on macOS. How do I create a certificate-based rule to allow all software signed by a specific developer, and how do I apply it using santactl?
Prompt 2
I'm setting up google/santa in monitor mode to audit my Mac fleet before switching to lockdown mode. What logs does it generate and where are they stored?
Prompt 3
I want to run a sync server for google/santa to push rules to multiple managed Macs. Which open-source sync server options are available and how do I configure Santa to point to one?
Prompt 4
Explain the priority order of Santa's rule types, hash rules vs certificate rules vs path regex rules, and when I should use each one.
Prompt 5
Google archived google/santa. How do I migrate to the northpolesec/santa fork while keeping my existing rules and sync server configuration?
Open on GitHub → Explain another repo

← google on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.