Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/boostsecurityio/poutine
boostsecurityio/poutine
https://github.com/boostsecurityio/poutine
ci cli devops devsecops gh-extension github github-actions golang security security-scanner supply-chain supply-chain-security
Last synced: about 2 months ago
JSON representation
boostsecurityio/poutine
- Host: GitHub
- URL: https://github.com/boostsecurityio/poutine
- Owner: boostsecurityio
- License: apache-2.0
- Created: 2024-04-09T17:59:41.000Z (9 months ago)
- Default Branch: main
- Last Pushed: 2024-10-29T11:58:12.000Z (2 months ago)
- Last Synced: 2024-10-29T14:33:18.071Z (2 months ago)
- Topics: ci, cli, devops, devsecops, gh-extension, github, github-actions, golang, security, security-scanner, supply-chain, supply-chain-security
- Language: Go
- Homepage:
- Size: 5.69 MB
- Stars: 226
- Watchers: 7
- Forks: 22
- Open Issues: 17
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
- awesome-cicd-security - poutine - A security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. (Tools / ArgoCD)
README
[](https://www.bestpractices.dev/projects/8787)
[](https://securityscorecards.dev/viewer/?uri=github.com/boostsecurityio/poutine)
[](https://pkg.go.dev/github.com/boostsecurityio/poutine)
[](https://goreportcard.com/report/github.com/boostsecurityio/poutine)
[](https://slsa.dev)
[](https://boostsecurityio.github.io/poutine/)
# `poutine`
Created by [BoostSecurity.io](https://boostsecurity.io), `poutine` is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD. When given an access token with read-level access, `poutine` can analyze all the repositories of an organization to quickly gain insights into the security posture of the organization's software supply chain.
See the [documentation](docs/content/en/rules) for a list of rules currently supported by `poutine`.
## Why `poutine`?
In French, the word "poutine", when not referring to the [dish](https://en.wikipedia.org/wiki/Poutine), can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, `poutine` reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains.
## Supported Platforms
- GitHub Actions
- Gitlab Pipelines
- Azure DevOps
- Pipelines As Code Tekton
## Getting Started
### Installation
To install `poutine`, download the latest release from the [releases page](https://github.com/boostsecurityio/poutine/releases) and add the binary to your $PATH.
#### Homebrew
``` bash
brew install poutine
```
#### Docker
``` bash
docker run -e GH_TOKEN ghcr.io/boostsecurityio/poutine:latest
```
#### GitHub Actions
```yaml
...
jobs:
poutine:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
#################################################################################################
- name: poutine - GitHub Actions SAST
uses: boostsecurityio/poutine-action@main # We recommend to use a tagged version and pin it
#################################################################################################
- name: Upload poutine SARIF file
uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
with:
sarif_file: results.sarif
```
### Usage
``` bash
poutine [command] [arguments] [options]
```
#### Analyze a local repository
``` bash
poutine analyze_local .
```
#### Analyze a remote GitHub repository
```bash
poutine analyze_repo org/repo --token "$GH_TOKEN"
```
#### Analyze all repositories in a GitHub organization
```bash
poutine analyze_org org --token "$GH_TOKEN"
```
#### Analyze all projects in a self-hosted Gitlab instance
``` bash
poutine analyze_org my-org/project --token "$GL_TOKEN" --scm gitlab --scm-base-uri https://gitlab.example.com
```
### Configuration Options
```
--token SCM access token (required for the commands analyze_repo, analyze_org) (env: GH_TOKEN)
--format Output format (default: pretty, json, sarif)
--ignore-forks Ignore forked repositories in the organization(analyze_org)
--scm SCM platform (default: github, gitlab)
--scm-base-uri Base URI of the self-hosted SCM instance
--threads Number of threads to use (default: 2)
--config Path to the configuration file (default: .poutine.yml)
--verbose Enable debug logging
```
See [.poutine.sample.yml](.poutine.sample.yml) for an example configuration file.
## Building from source
Building `poutine` requires Go 1.23.
```bash
git clone https://github.com/boostsecurityio/poutine.git
cd poutine
make build
```
## Development
### Updating Build Platform CVE Database
```bash
go test -tags build_platform_vuln_database ./...
opa fmt -w opa/rego/external/build_platform.rego
```
## See Also
For examples of vulnerabilities in GitHub Actions workflows, you can explore the [Messy poutine GitHub organization](https://github.com/messypoutine). It showcases real-world vulnerabilities from open-source projects readily exploitable for educational purposes.
To get started with some hints, try using `poutine` to analyze the `messypoutine` organization:
``` bash
poutine analyze_org messypoutine --token `gh auth token`
```
You may submit the flags you find in a [private vulnerability disclosure](https://github.com/messypoutine/.github/security/advisories/new).
## License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.