poutine

command module
v0.9.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

README

build CodeQL Go Reference Go Report Card SLSA 3

poutine

Created by BoostSecurity.io, poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD. When given an access token with read-level access, poutine can analyze all the repositories of an organization to quickly gain insights into the security posture of the organization's software supply chain.

See the documentation for a list of rules currently supported by poutine.

Why poutine?

In French, the word "poutine", when not referring to the dish, can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, poutine reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains.

Getting Started

Installation

To install poutine, download the latest release from the releases page and add the binary to your $PATH.

Homebrew
brew install boostsecurityio/tap/poutine
Docker
docker run -e GH_TOKEN ghcr.io/boostsecurityio/poutine:latest
Usage
poutine [options] [command] [arguments]
Analyze a local repository
poutine analyze_local .
Analyze a remote GitHub repository
poutine -token "$GH_TOKEN" analyze_repo org/repo
Analyze all repositories in a GitHub organization
poutine -token "$GH_TOKEN" analyze_org org
Analyze all projects in a self-hosted Gitlab instance
poutine -token "$GL_TOKEN" -scm gitlab -scm-base-uri https://gitlab.example.com analyze_org my-org/project
Configuration Options
-token          SCM access token (required for the commands analyze_repo, analyze_org) (env: GH_TOKEN)
-format         Output format (default: pretty, json, sarif)
-scm            SCM platform (default: github, gitlab)
-scm-base-uri   Base URI of the self-hosted SCM instance
-threads        Number of threads to use (default: 2)
-verbose        Enable debug logging

Building from source

Building poutine requires Go 1.22.

git clone https://github.com/boostsecurityio/poutine.git
cd poutine
make build

See Also

For examples of vulnerabilities in GitHub Actions workflows, you can explore the Messy poutine GitHub organization. It showcases real-world vulnerabilities from open-source projects readily exploitable for educational purposes.

To get started with some hints, try using poutine to analyze the messypoutine organization:

poutine -token `gh auth token` analyze_org messypoutine

You may submit the flags you find in a private vulnerability disclosure.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
Package analyze can analyze things.
 Package analyze can analyze things.
formatters
json
pretty
sarif
providers
github
gitlab
gitops
local
pkgsupply
scm

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.