whatisgithub

What is santa?

google/santa — explained in plain English

Analysis updated 2026-06-26

4,515Objective-C++Audience · ops devopsComplexity · 4/5LicenseSetup · hard

In one sentence

Santa is a macOS security tool that controls which programs can run on a computer by intercepting every execution attempt and checking it against allow or block rules, useful for IT teams locking down managed machines.

Mindmap

mindmap
  root((Santa))
    Execution Control
      Monitor mode
      Lockdown mode
      Block notifications
    Rule Types
      Hash based rules
      Certificate based rules
      Path regex rules
    Sync System
      Central server push
      Rule distribution
      Execution logging
    Limitations
      No script rules
      No dynamic libraries
      Archived project
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Lock down company Macs so only approved software can run, blocking malware or unauthorized apps automatically.

USE CASE 2

Audit what programs are running across a fleet of machines before rolling out stricter security policies.

USE CASE 3

Centrally manage allow and block rules across many computers from a single sync server.

USE CASE 4

Allow all software from a trusted developer certificate without needing a rule for every version they release.

What is it built with?

Objective-C++macOSkernel extensioncertificate signing

How does it compare?

google/santakhronosgroup/moltenvkfacebook/componentkit
Stars4,5155,6215,764
LanguageObjective-C++Objective-C++Objective-C++
Setup difficultyhardhardmoderate
Complexity4/54/54/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1day+

Requires macOS system-level permissions and a kernel extension. Organizations need a sync server for fleet management. Note: Google archived this project in 2025, consider northpolesec/santa for active support.

Open source license, free to use and modify. The project is archived, active development continues at the northpolesec/santa fork.

So what is it?

Santa is a security tool for macOS that controls which programs are allowed to run on a computer. It sits at the operating system level and intercepts every attempt to execute a file, then checks that file against a set of rules before deciding whether to allow or block it. A notification is shown to the user if something is blocked. The tool has two operating modes. In the default monitor mode, almost everything is allowed to run, but all executions are logged. This is useful for learning what software runs on a machine before applying stricter controls. In lockdown mode, only explicitly approved software is allowed to run and everything else is blocked by default. Rules can be written in several ways. The most specific is a hash-based rule that matches one exact version of a file. A broader option is a certificate-based rule, which allows or blocks any program signed by a particular developer certificate. This means a rule covers all versions of a piece of software as long as it is still signed by the same company. There are also path-based rules using regular expressions, which have the lowest priority when multiple rules apply. For organizations managing many machines, Santa includes a sync mechanism that lets a central server push rule updates to all managed computers and collect logs of what has run. Several open-source sync server options exist for this purpose. Santa is designed as one layer in a broader security approach, not a complete solution on its own. It does not protect against dynamically loaded code libraries, and it does not apply rules to scripts, only to compiled binaries. As of 2025, Google is no longer maintaining this project. The README points users toward an actively maintained fork at northpolesec/santa.

Copy-paste prompts

Prompt 1
I'm using google/santa on macOS. How do I create a certificate-based rule to allow all software signed by a specific developer, and how do I apply it using santactl?
Prompt 2
I'm setting up google/santa in monitor mode to audit my Mac fleet before switching to lockdown mode. What logs does it generate and where are they stored?
Prompt 3
I want to run a sync server for google/santa to push rules to multiple managed Macs. Which open-source sync server options are available and how do I configure Santa to point to one?
Prompt 4
Explain the priority order of Santa's rule types, hash rules vs certificate rules vs path regex rules, and when I should use each one.
Prompt 5
Google archived google/santa. How do I migrate to the northpolesec/santa fork while keeping my existing rules and sync server configuration?

Frequently asked questions

What is santa?

Santa is a macOS security tool that controls which programs can run on a computer by intercepting every execution attempt and checking it against allow or block rules, useful for IT teams locking down managed machines.

What language is santa written in?

Mainly Objective-C++. The stack also includes Objective-C++, macOS, kernel extension.

What license does santa use?

Open source license, free to use and modify. The project is archived, active development continues at the northpolesec/santa fork.

How hard is santa to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is santa for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.