---
title: "Transitive Allowlisting - Santa Docs"
description: "Transitive Allowlisting - Open source binary authorization for macOS. Configure, deploy, and extend the agent that powers Workshop."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/docs/santa/cookbook/transitive"
---
# Transitive Allowlisting

This page lists well-known and/or community-contributed Transitive Allowlisting rules for various compiler toolchains.

For each toolchain it’s important to note that the last binary that writes to the new binary is the one that should have a rule.

## Xcode

To cover Xcode you will either need `ld`, `lipo`, or `codesign`, depending on how the project is configured:

-   `platform:com.apple.ld`
-   `platform:com.apple.lipo`
-   `platform:com.apple.security.codesign`

One important caveat: adding an `ALLOWLIST_COMPILER` rule for the codesign utility could potentially allow any binary to be re-signed and executed.

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)