Releases: boostsecurityio/poutine
Releases · boostsecurityio/poutine
v0.16.0
Changelog for poutine
v0.16.0 🚀
New Features 🌟
- Finding Metadata Enhancements: Included
event_triggers
in findings metadata for better insights into triggering events. (#233)
Improvements 🔧
- Inventory Scanner Refactoring: Refactored the inventory scanner for improved efficiency and maintainability. (#230)
- Local Actions Resolution: Enhanced handling for resolving repository-local GitHub Actions. (#213)
Dependency Updates ⬆️
- GitHub Actions:
- Go Libraries:
Other Changes ✨
- Bump Goreleaser: Upgraded Goreleaser to V2 for improved release workflows. (#231)
New Contributors 🤝
Full Changelog 📜
For a detailed diff, see the full changelog.
v0.15.2
Changelog for poutine
v0.15.2 🚀
Improvements 🔧
- GitHub Native Changelog Formatting: Updated changelog generation to follow GitHub's native format, enhancing readability and consistency. (#208)
- Gracefully Skip Empty Repositories: Improved handling to skip over empty repositories without errors during analysis. (#209)
- Poutine Build Platform Advisories: Added platform-specific advisories to the build process, providing more tailored insights. (#221)
- Git Error Handling Improvements: Enhanced error handling in Git, including resilience during local analysis to allow scanning of folders that are not git repositories. (#222)
Security Updates 🔒
- Update osv.rego with New GHA CVE: Integrated the latest GitHub Actions CVE from the OSV database for more comprehensive vulnerability scanning. (#210)
- CVE Database Update: Refreshed CVE database with the latest entries to maintain up-to-date security checks. (#211)
Dependency Updates 📦
- sigstore/cosign-installer: Bumped
cosign-installer
fromv3.5.0
tov3.6.0
for enhanced functionality. (#200) - actions/upload-artifact: Updated to
v4.4.0
for improved artifact handling in GitHub Actions. (#201) - ossf/scorecard-action: Upgraded to
v2.4.0
for the latest enhancements in scorecard assessments. (#202) - Go 1.23 Update: Updated to Go
v1.23
as part of general dependency and compatibility improvements. (#220) - actions/checkout: Increased to
v4.2.0
for streamlined workflows. (#217) - step-security/harden-runner: Upgraded to
v2.10.1
to strengthen security in CI workflows. (#216) - github/codeql-action: Updated to
v3.26.10
for more effective code scanning capabilities. (#215)
Full Changelog 📜
For a detailed diff of all changes, see the full changelog.
v0.15.1
Changelog for poutine
v0.15.1 🚀
Improvements 🔧
- GitHub Actions Parsing: Adjusted how GitHub Actions are parsed for improved accuracy and functionality. (#192)
- Repo Metadata: Enhanced repository metadata handling for better data management and insights. (#193)
- Pipelines As Code Documentation: Added documentation for Pipelines As Code to help developers integrate and understand the new feature. (#188)
Bug Fixes 🐛
- Fix Analyze Org Data Race: Resolved a data race issue in the organization data analysis feature to improve stability. (#198)
- GitHub Client URL Handling: Fixed an issue where the GitHub client did not respect the
--scm-base-url
flag. (#189) - URL Resolution with Base URL: Resolved an issue where URL finding did not correctly use the
--scm-base-url
. (#196)
Full Changelog 📜
For a detailed diff of everything new and updated, see the full changelog.
v0.15.0
Changelog for poutine
v0.15.0 🚀
New Features 🌟
- Tekton (Pipeline as Code): Added support for Tekton pipelines (Pipeline as Code). (#174)
Improvements 🔧
- SARIF Report Version: Added actual version in SARIF report for better accuracy and tracking. (#173)
Dependency Updates ⬆️
- Upload Artifact Action: Bumped
actions/upload-artifact
from 4.3.3 to 4.3.4 for enhanced artifact handling. (#183) - Dependency Review Action: Updated
actions/dependency-review-action
from 4.3.3 to 4.3.4 for improved dependency analysis. (#182) - CodeQL Action: Bumped
github/codeql-action
from 3.25.11 to 3.25.15 for better code analysis. (#181) - Setup Go Action: Updated
actions/setup-go
from 5.0.1 to 5.0.2 for better Go environment setup. (#180) - GitLab Client: Bumped
github.com/xanzy/go-gitlab
from 0.106.0 to 0.107.0 for improved GitLab API interactions. (#179) - SARIF Library: Updated
github.com/owenrumney/go-sarif/v2
from 2.3.1 to 2.3.3 for enhanced SARIF report handling. (#178) - Progress Bar: Bumped
github.com/schollz/progressbar/v3
from 3.14.4 to 3.14.5 to improve progress tracking. (#177) - Open Policy Agent: Updated
github.com/open-policy-agent/opa
from 0.66.0 to 0.67.0 for better policy management. (#176) - Viper: Bumped
github.com/spf13/viper
from 1.18.2 to 1.19.0 for improved configuration management. (#175)
Full Changelog 📜
For a detailed diff of everything new and updated, see the full changelog.
v0.14.0
Changelog for poutine
v0.14.0 🚀
Also 😁
- Updated GitHub Action to run latest version of poutine (https://github.com/marketplace/actions/poutine-github-actions-sast)
New Features 🌟
- Azure DevOps Pipeline Support: Added full support for Azure DevOps Pipelines, including ADO Debug mode and "pwn request" detection, expanding the compatibility of
poutine
with various CI/CD platforms. (#160, #168, #169, #170)
Improvements 🔧
- CVE Detection Enhancement: Improved GitHub Enterprise / Self-hosted GitLab CVE detection, including updates to the Build Platform CVE Database. (#140, #166)
- Rules Configuration: Introduced rules configuration for
pr_runs_on_self_hosted
, providing more control over pull request executions on self-hosted runners. (#159) - Dagger Module: Introduced a new Dagger module for improved build and deployment workflows. (#154)
- Version Handling: Readded version flags for GoReleaser to enhance the release process. (#153)
- Analyze Command: Updated the analyze command to set PURL version with the provided reference for more accurate analysis. (#152)
- Simplified Repo Parsing: Simplified the process of parsing repository files to improve efficiency and reliability. (#167)
Dependency Updates ⬆️
- Open Policy Agent: Bumped
github.com/open-policy-agent/opa
from 0.65.0 to 0.66.0 for improved policy management. (#150) - OAuth2: Updated
golang.org/x/oauth2
from 0.20.0 to 0.21.0 for better authentication support. (#149) - Progress Bar: Bumped
github.com/schollz/progressbar/v3
from 3.14.3 to 3.14.4 to enhance progress tracking. (#147) - Dependency Review Action: Updated
actions/dependency-review-action
from 4.3.2 to 4.3.3 for enhanced dependency analysis. (#145) - Harden Runner: Bumped
step-security/harden-runner
from 2.7.1 to 2.8.1 for improved security during GitHub Actions. (#144) - Checkout Action: Updated
actions/checkout
from 4.1.4 to 4.1.7 for better repository access in workflows. (#142) - CodeQL Action: Bumped
github/codeql-action
from 3.25.7 to 3.25.11 for enhanced code analysis. (#141) - GitLab Client: Updated
github.com/xanzy/go-gitlab
from 0.105.0 to 0.106.0 for improved GitLab API interactions. (#148)
Release Process Changes 🔧
- Dockerfile Addition: Added a Dockerfile and upgraded the Git image to streamline the containerization process. (#139)
- MAINTAINERS.md Update: Removed
@becojo
from the MAINTAINERS.md file. (#162) 😢 😭 👋
Contributions 🤝
- Thanks to all contributors for continuing to improve
poutine
, ensuring it remains a robust tool for securing CI pipelines.
Full Changelog 📜
For a detailed diff of everything new and updated, see the full changelog.
v0.13.0
Changelog for poutine
v0.13.0 🚀
Fixes 🛠️
- Fixes crash when running without config: (#138)
Full Changelog 📜
For a detailed diff of everything new and updated, see the full changelog.
v0.12.0
Changelog for poutine
v0.12.0 🚀
New Features 🌟
- Quiet Mode: Added a new
--quiet
option to minimize output verbosity during scans, helping streamline outputs for automated processes. (#134) - Security Rule: Introduced the
unverified_script_exec
rule to detect potentially unsafe script executions in CI environments. (#129)
Improvements 🔧
- Custom References: Enhanced the
analyze_repo
command to accept custom references, enabling more precise analysis across different repo states. (#131) - Homebrew Integration: Updated documentation to refer to the new Homebrew core formula, simplifying installation processes. (#124)
- Open Policy Agent (OPA): Exposed new JSON marshalling options in OPA, enhancing flexibility in policy definitions. (#133)
Fixes 🛠️
- Dependency Handling: Improved error avoidance by preventing a second Rego compilation during JSON format operations. (#132)
Dependency Updates ⬆️
- Retryable HTTP: Bumped
github.com/hashicorp/go-retryablehttp
to leverage enhancements in retry logic and error handling. (#135)
Release process changes 🔧
Contributions 🤝
- Thanks to all contributors for continuing to improve
poutine
, ensuring it remains a robust tool for securing CI pipelines.
Full Changelog 📜
For a detailed diff of everything new and updated, see the full changelog.
v0.11.0
Changelog for poutine
v0.11.0 🚀
New Features 🌟
- GitHub Actions Security: Added detection for the usage of GitHub Actions debug variables. (#88)
- Vulnerability Scanning: Introduced provider-level vulnerability scanning. A draft version of Gitlab on-premise / GitHub Enterprise CVE checks. (#90)
- GitHub Pages Documentation: Launched Hugo geekdoc theme and added rendering and deployment for GitHub Pages documentation. Documentation can be found at https://boostsecurityio.github.io/poutine/ (#91, #92)
Improvements 🔧
- Enhanced
--scm-base-url
option to be more robust, more lenient to different formats. (#95) - Updated GitHub Action workflow configurations for improved path handling. (#96)
- Improved documentation links to point to GitHub Pages and updated README. (#97, #103)
- Enhanced enumeration in
GetOrgRepos
for more accurate GitHub organization repository listings. (#118)
Fixes 🛠️
- Improved version range detection in CVE database. (#116)
- Fixed issues with
debug_enabled
flag on steps and improved error handling. (#117) - Various improvements to Git error handling, including trimming whitespace and redacting tokens in errors. (#120, #121)
Dependency Updates ⬆️
- Multiple dependencies have been updated to their latest versions, improving security and stability:
- Actions and GitHub Integrations: Updated
actions/create-github-app-token
,actions/setup-go
,goreleaser/goreleaser-action
,github/codeql-action
, and more. (PRs #104 to #108) - Go Libraries: Updated
github.com/rs/zerolog
,github.com/package-url/packageurl-go
,github.com/hashicorp/go-version
,github.com/schollz/progressbar/v3
,github.com/open-policy-agent/opa
, and others. (PRs #109 to #113, #111)
- Actions and GitHub Integrations: Updated
Contributions 🤝
Full Changelog 📜
For a detailed diff, see the full changelog.
v0.10.1
v0.10.0
Warning this feature has breaking changes in the CLI arguments.
New features
version
command (commit)- Allow for configuration of OPA rules (#60)
- Add CLI flag for configuration file (#61)
- Add support for new
attestations
permissions (#62) - BREAKING CHANGE : Switch to Cobra / Viper for CLI parsing (#65) -- See notes
- Allow loading optional Rego rules (#66)
- Support untrusted code checkout exec with
workflow_run
(#68) - Add option to filter forks (
--ignore-forks
) (#73)
Bug fixes
- fixed handling of
environment
names in GitHub Actions workflows (#56) - add debug logs on workflow parsing errors (#59)
- Fix verbose logging (#67)
- Hard fail with no repo returned - handles cases where you make a typo in org name (#79 , #80 )
Chores
- Updated various GitHub Actions and other dependencies
- Avoid using caches with
setup-go
Changelog
- 9ae3527 Add Filter Out Forks For Analyze Org (#73)
- c1a275a Add Version Command
- 7ea7e88 Bump actions/checkout from 4.1.1 to 4.1.4 (#42)
- dae4c74 Bump actions/dependency-review-action from 2.5.1 to 4.3.2 (#43)
- a5446f0 Bump actions/upload-artifact from 3.1.3 to 4.3.3 (#46)
- eeacf8c Bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.1 (#48)
- 8d2db62 Bump github/codeql-action from 2.24.10 to 3.25.3 (#45)
- 28464c0 Bump step-security/harden-runner from 2.7.0 to 2.7.1 (#44)
- e096b80 Error out when we encounter an organization with no repos present. That could indicate improper auth or a typo in the org name. Added skipping of printing the results if no findings are present (#79)
- 1db7a09 Opa config (#60)
- 05f27f2 Update release.yml (#72)
- a7fa79b [Breaking Changes] Switch to Use Cobra/Viper for CLI and Config Handling (#64)
- cb6ce21 add cli flag for config file path (#61)
- 41dc64c add debug logs on workflow parsing errors (#59)
- e0d6048 add github actions attestations scope to write-all (#62)
- 3b4b230 adding ignore-forks flag example and config file (#77)
- 140abab fix: ensure CLI args don't equal to legacyFlag (#66)
- 28572a4 fix: github actions handle string environment name (#56)
- 3b7e231 fix: verbose log level (#67)
- 49a9cf9 load additional Rego files (#65)
- 1e23b68 only the pretty formatter should skip outputing (#80)
- 279c380 untrusted_checkout_exec: consider workflow_run triggered from PRs (#68)
- fc37055 use viper.SetConfigName (#69)