Created by BoostSecurity.io, poutine
is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD. When given an access token with read-level access, poutine
can analyze all the repositories of an organization to quickly gain insights into the security posture of the organization's software supply chain.
See the documentation for a list of rules currently supported by poutine
.
In French, the word "poutine", when not referring to the dish, can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, poutine
reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains.
- GitHub Actions
- Gitlab Pipelines
- Azure DevOps
- Pipelines As Code Tekton
To install poutine
, download the latest release from the releases page and add the binary to your $PATH.
brew install poutine
docker run -e GH_TOKEN ghcr.io/boostsecurityio/poutine:latest
...
jobs:
poutine:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
#################################################################################################
- name: poutine - GitHub Actions SAST
uses: boostsecurityio/poutine-action@main # We recommend to use a tagged version and pin it
#################################################################################################
- name: Upload poutine SARIF file
uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
with:
sarif_file: results.sarif
poutine [command] [arguments] [options]
poutine analyze_local .
poutine analyze_repo org/repo --token "$GH_TOKEN"
poutine analyze_org org --token "$GH_TOKEN"
poutine analyze_org my-org/project --token "$GL_TOKEN" --scm gitlab --scm-base-uri https://gitlab.example.com
--token SCM access token (required for the commands analyze_repo, analyze_org) (env: GH_TOKEN)
--format Output format (default: pretty, json, sarif)
--ignore-forks Ignore forked repositories in the organization(analyze_org)
--scm SCM platform (default: github, gitlab)
--scm-base-uri Base URI of the self-hosted SCM instance
--threads Number of threads to use (default: 2)
--config Path to the configuration file (default: .poutine.yml)
--verbose Enable debug logging
See .poutine.sample.yml for an example configuration file.
Building poutine
requires Go 1.23.
git clone https://github.com/boostsecurityio/poutine.git
cd poutine
make build
go test -tags build_platform_vuln_database ./...
opa fmt -w opa/rego/external/build_platform.rego
For examples of vulnerabilities in GitHub Actions workflows, you can explore the Messy poutine GitHub organization. It showcases real-world vulnerabilities from open-source projects readily exploitable for educational purposes.
To get started with some hints, try using poutine
to analyze the messypoutine
organization:
poutine analyze_org messypoutine --token `gh auth token`
You may submit the flags you find in a private vulnerability disclosure.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.