Skip to content

Releases: boostsecurityio/poutine

v0.16.0

22 Nov 21:27
4d52b8e
Compare
Choose a tag to compare

Changelog for poutine v0.16.0 🚀

New Features 🌟

  • Finding Metadata Enhancements: Included event_triggers in findings metadata for better insights into triggering events. (#233)

Improvements 🔧

  • Inventory Scanner Refactoring: Refactored the inventory scanner for improved efficiency and maintainability. (#230)
  • Local Actions Resolution: Enhanced handling for resolving repository-local GitHub Actions. (#213)

Dependency Updates ⬆️

  • GitHub Actions:
    • Updated github/codeql-action from v3.26.10 to v3.27.0. (#229)
    • Updated actions/checkout from v4.2.0 to v4.2.2. (#228)
    • Updated actions/upload-artifact from v4.4.0 to v4.4.3. (#227)
    • Updated actions/dependency-review-action from v4.3.4 to v4.4.0. (#226)
  • Go Libraries:
    • Updated github.com/open-policy-agent/opa from v0.69.0 to v0.70.0. (#225)
    • Updated github.com/schollz/progressbar/v3 from v3.16.1 to v3.17.0. (#224)
    • Updated github.com/xanzy/go-gitlab from v0.110.0 to v0.112.0. (#223)

Other Changes ✨

  • Bump Goreleaser: Upgraded Goreleaser to V2 for improved release workflows. (#231)

New Contributors 🤝

Full Changelog 📜

For a detailed diff, see the full changelog.

v0.15.2

29 Oct 12:00
160d529
Compare
Choose a tag to compare

Changelog for poutine v0.15.2 🚀

Improvements 🔧

  • GitHub Native Changelog Formatting: Updated changelog generation to follow GitHub's native format, enhancing readability and consistency. (#208)
  • Gracefully Skip Empty Repositories: Improved handling to skip over empty repositories without errors during analysis. (#209)
  • Poutine Build Platform Advisories: Added platform-specific advisories to the build process, providing more tailored insights. (#221)
  • Git Error Handling Improvements: Enhanced error handling in Git, including resilience during local analysis to allow scanning of folders that are not git repositories. (#222)

Security Updates 🔒

  • Update osv.rego with New GHA CVE: Integrated the latest GitHub Actions CVE from the OSV database for more comprehensive vulnerability scanning. (#210)
  • CVE Database Update: Refreshed CVE database with the latest entries to maintain up-to-date security checks. (#211)

Dependency Updates 📦

  • sigstore/cosign-installer: Bumped cosign-installer from v3.5.0 to v3.6.0 for enhanced functionality. (#200)
  • actions/upload-artifact: Updated to v4.4.0 for improved artifact handling in GitHub Actions. (#201)
  • ossf/scorecard-action: Upgraded to v2.4.0 for the latest enhancements in scorecard assessments. (#202)
  • Go 1.23 Update: Updated to Go v1.23 as part of general dependency and compatibility improvements. (#220)
  • actions/checkout: Increased to v4.2.0 for streamlined workflows. (#217)
  • step-security/harden-runner: Upgraded to v2.10.1 to strengthen security in CI workflows. (#216)
  • github/codeql-action: Updated to v3.26.10 for more effective code scanning capabilities. (#215)

Full Changelog 📜

For a detailed diff of all changes, see the full changelog.

v0.15.1

09 Sep 15:25
e4aab7e
Compare
Choose a tag to compare

Changelog for poutine v0.15.1 🚀

Improvements 🔧

  • GitHub Actions Parsing: Adjusted how GitHub Actions are parsed for improved accuracy and functionality. (#192)
  • Repo Metadata: Enhanced repository metadata handling for better data management and insights. (#193)
  • Pipelines As Code Documentation: Added documentation for Pipelines As Code to help developers integrate and understand the new feature. (#188)

Bug Fixes 🐛

  • Fix Analyze Org Data Race: Resolved a data race issue in the organization data analysis feature to improve stability. (#198)
  • GitHub Client URL Handling: Fixed an issue where the GitHub client did not respect the --scm-base-url flag. (#189)
  • URL Resolution with Base URL: Resolved an issue where URL finding did not correctly use the --scm-base-url. (#196)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.15.0

02 Aug 17:26
b8181bf
Compare
Choose a tag to compare

Changelog for poutine v0.15.0 🚀

New Features 🌟

  • Tekton (Pipeline as Code): Added support for Tekton pipelines (Pipeline as Code). (#174)

Improvements 🔧

  • SARIF Report Version: Added actual version in SARIF report for better accuracy and tracking. (#173)

Dependency Updates ⬆️

  • Upload Artifact Action: Bumped actions/upload-artifact from 4.3.3 to 4.3.4 for enhanced artifact handling. (#183)
  • Dependency Review Action: Updated actions/dependency-review-action from 4.3.3 to 4.3.4 for improved dependency analysis. (#182)
  • CodeQL Action: Bumped github/codeql-action from 3.25.11 to 3.25.15 for better code analysis. (#181)
  • Setup Go Action: Updated actions/setup-go from 5.0.1 to 5.0.2 for better Go environment setup. (#180)
  • GitLab Client: Bumped github.com/xanzy/go-gitlab from 0.106.0 to 0.107.0 for improved GitLab API interactions. (#179)
  • SARIF Library: Updated github.com/owenrumney/go-sarif/v2 from 2.3.1 to 2.3.3 for enhanced SARIF report handling. (#178)
  • Progress Bar: Bumped github.com/schollz/progressbar/v3 from 3.14.4 to 3.14.5 to improve progress tracking. (#177)
  • Open Policy Agent: Updated github.com/open-policy-agent/opa from 0.66.0 to 0.67.0 for better policy management. (#176)
  • Viper: Bumped github.com/spf13/viper from 1.18.2 to 1.19.0 for improved configuration management. (#175)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.14.0

25 Jul 16:13
573ab0b
Compare
Choose a tag to compare

Changelog for poutine v0.14.0 🚀

Also 😁

New Features 🌟

  • Azure DevOps Pipeline Support: Added full support for Azure DevOps Pipelines, including ADO Debug mode and "pwn request" detection, expanding the compatibility of poutine with various CI/CD platforms. (#160, #168, #169, #170)

Improvements 🔧

  • CVE Detection Enhancement: Improved GitHub Enterprise / Self-hosted GitLab CVE detection, including updates to the Build Platform CVE Database. (#140, #166)
  • Rules Configuration: Introduced rules configuration for pr_runs_on_self_hosted, providing more control over pull request executions on self-hosted runners. (#159)
  • Dagger Module: Introduced a new Dagger module for improved build and deployment workflows. (#154)
  • Version Handling: Readded version flags for GoReleaser to enhance the release process. (#153)
  • Analyze Command: Updated the analyze command to set PURL version with the provided reference for more accurate analysis. (#152)
  • Simplified Repo Parsing: Simplified the process of parsing repository files to improve efficiency and reliability. (#167)

Dependency Updates ⬆️

  • Open Policy Agent: Bumped github.com/open-policy-agent/opa from 0.65.0 to 0.66.0 for improved policy management. (#150)
  • OAuth2: Updated golang.org/x/oauth2 from 0.20.0 to 0.21.0 for better authentication support. (#149)
  • Progress Bar: Bumped github.com/schollz/progressbar/v3 from 3.14.3 to 3.14.4 to enhance progress tracking. (#147)
  • Dependency Review Action: Updated actions/dependency-review-action from 4.3.2 to 4.3.3 for enhanced dependency analysis. (#145)
  • Harden Runner: Bumped step-security/harden-runner from 2.7.1 to 2.8.1 for improved security during GitHub Actions. (#144)
  • Checkout Action: Updated actions/checkout from 4.1.4 to 4.1.7 for better repository access in workflows. (#142)
  • CodeQL Action: Bumped github/codeql-action from 3.25.7 to 3.25.11 for enhanced code analysis. (#141)
  • GitLab Client: Updated github.com/xanzy/go-gitlab from 0.105.0 to 0.106.0 for improved GitLab API interactions. (#148)

Release Process Changes 🔧

  • Dockerfile Addition: Added a Dockerfile and upgraded the Git image to streamline the containerization process. (#139)
  • MAINTAINERS.md Update: Removed @becojo from the MAINTAINERS.md file. (#162) 😢 😭 👋

Contributions 🤝

  • Thanks to all contributors for continuing to improve poutine, ensuring it remains a robust tool for securing CI pipelines.

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.13.0

26 Jun 14:53
fcaa6ac
Compare
Choose a tag to compare

Changelog for poutine v0.13.0 🚀

Fixes 🛠️

  • Fixes crash when running without config: (#138)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.12.0

25 Jun 19:42
a58a7b7
Compare
Choose a tag to compare

Changelog for poutine v0.12.0 🚀

New Features 🌟

  • Quiet Mode: Added a new --quiet option to minimize output verbosity during scans, helping streamline outputs for automated processes. (#134)
  • Security Rule: Introduced the unverified_script_exec rule to detect potentially unsafe script executions in CI environments. (#129)

Improvements 🔧

  • Custom References: Enhanced the analyze_repo command to accept custom references, enabling more precise analysis across different repo states. (#131)
  • Homebrew Integration: Updated documentation to refer to the new Homebrew core formula, simplifying installation processes. (#124)
  • Open Policy Agent (OPA): Exposed new JSON marshalling options in OPA, enhancing flexibility in policy definitions. (#133)

Fixes 🛠️

  • Dependency Handling: Improved error avoidance by preventing a second Rego compilation during JSON format operations. (#132)

Dependency Updates ⬆️

  • Retryable HTTP: Bumped github.com/hashicorp/go-retryablehttp to leverage enhancements in retry logic and error handling. (#135)

Release process changes 🔧

  • Release Process: Updated .goreleaser.yaml and removed reference to local tap. (#136), (#128)

Contributions 🤝

  • Thanks to all contributors for continuing to improve poutine, ensuring it remains a robust tool for securing CI pipelines.

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.11.0

14 Jun 14:58
2eaad6d
Compare
Choose a tag to compare

Changelog for poutine v0.11.0 🚀

New Features 🌟

  • GitHub Actions Security: Added detection for the usage of GitHub Actions debug variables. (#88)
  • Vulnerability Scanning: Introduced provider-level vulnerability scanning. A draft version of Gitlab on-premise / GitHub Enterprise CVE checks. (#90)
  • GitHub Pages Documentation: Launched Hugo geekdoc theme and added rendering and deployment for GitHub Pages documentation. Documentation can be found at https://boostsecurityio.github.io/poutine/ (#91, #92)

Improvements 🔧

  • Enhanced --scm-base-url option to be more robust, more lenient to different formats. (#95)
  • Updated GitHub Action workflow configurations for improved path handling. (#96)
  • Improved documentation links to point to GitHub Pages and updated README. (#97, #103)
  • Enhanced enumeration in GetOrgRepos for more accurate GitHub organization repository listings. (#118)

Fixes 🛠️

  • Improved version range detection in CVE database. (#116)
  • Fixed issues with debug_enabled flag on steps and improved error handling. (#117)
  • Various improvements to Git error handling, including trimming whitespace and redacting tokens in errors. (#120, #121)

Dependency Updates ⬆️

  • Multiple dependencies have been updated to their latest versions, improving security and stability:
    • Actions and GitHub Integrations: Updated actions/create-github-app-token, actions/setup-go, goreleaser/goreleaser-action, github/codeql-action, and more. (PRs #104 to #108)
    • Go Libraries: Updated github.com/rs/zerolog, github.com/package-url/packageurl-go, github.com/hashicorp/go-version, github.com/schollz/progressbar/v3, github.com/open-policy-agent/opa, and others. (PRs #109 to #113, #111)

Contributions 🤝

Full Changelog 📜

For a detailed diff, see the full changelog.

v0.10.1

15 May 19:23
8aff818
Compare
Choose a tag to compare

Changelog

  • ccbd195 Fix Gitlab Scanning and Fork Ignore (#84)
  • 6f6f4e4 change var names to match buildflags set by goreleaser (#81)
  • 8aff818 gitlab: fix parsing error on scalar includes (#86)

v0.10.0

13 May 15:52
1e23b68
Compare
Choose a tag to compare

Warning this feature has breaking changes in the CLI arguments.

New features

  • version command (commit)
  • Allow for configuration of OPA rules (#60)
  • Add CLI flag for configuration file (#61)
  • Add support for new attestations permissions (#62)
  • BREAKING CHANGE : Switch to Cobra / Viper for CLI parsing (#65) -- See notes
  • Allow loading optional Rego rules (#66)
  • Support untrusted code checkout exec with workflow_run (#68)
  • Add option to filter forks (--ignore-forks) (#73)

Bug fixes

  • fixed handling of environment names in GitHub Actions workflows (#56)
  • add debug logs on workflow parsing errors (#59)
  • Fix verbose logging (#67)
  • Hard fail with no repo returned - handles cases where you make a typo in org name (#79 , #80 )

Chores

  • Updated various GitHub Actions and other dependencies
  • Avoid using caches with setup-go

Changelog

  • 9ae3527 Add Filter Out Forks For Analyze Org (#73)
  • c1a275a Add Version Command
  • 7ea7e88 Bump actions/checkout from 4.1.1 to 4.1.4 (#42)
  • dae4c74 Bump actions/dependency-review-action from 2.5.1 to 4.3.2 (#43)
  • a5446f0 Bump actions/upload-artifact from 3.1.3 to 4.3.3 (#46)
  • eeacf8c Bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.1 (#48)
  • 8d2db62 Bump github/codeql-action from 2.24.10 to 3.25.3 (#45)
  • 28464c0 Bump step-security/harden-runner from 2.7.0 to 2.7.1 (#44)
  • e096b80 Error out when we encounter an organization with no repos present. That could indicate improper auth or a typo in the org name. Added skipping of printing the results if no findings are present (#79)
  • 1db7a09 Opa config (#60)
  • 05f27f2 Update release.yml (#72)
  • a7fa79b [Breaking Changes] Switch to Use Cobra/Viper for CLI and Config Handling (#64)
  • cb6ce21 add cli flag for config file path (#61)
  • 41dc64c add debug logs on workflow parsing errors (#59)
  • e0d6048 add github actions attestations scope to write-all (#62)
  • 3b4b230 adding ignore-forks flag example and config file (#77)
  • 140abab fix: ensure CLI args don't equal to legacyFlag (#66)
  • 28572a4 fix: github actions handle string environment name (#56)
  • 3b7e231 fix: verbose log level (#67)
  • 49a9cf9 load additional Rego files (#65)
  • 1e23b68 only the pretty formatter should skip outputing (#80)
  • 279c380 untrusted_checkout_exec: consider workflow_run triggered from PRs (#68)
  • fc37055 use viper.SetConfigName (#69)