poutine
poutine copied to clipboard
boostsecurityio
boostsecurityio/poutine
https://github.com/semgrep/semgrep-rules/blob/develop/yaml/github-actions/security/allowed-unsecure-commands.yaml https://github.com/semgrep/semgrep-rules/blob/develop/yaml/github-actions/security/curl-eval.yaml https://github.com/contributor-assistant/github-action/blob/master/.github/workflows/notify-about-new-pr-via-slack.yml#L17 https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
Instead of using local brew tap, we should push to the upstream homebrew.
**Is your feature request related to a problem? Please describe.** When using `--scm-base-url` to specify self hosted platform the fact it's called `url` makes me put a URL prefix, but...
**Describe the bug** I'm facing an "exit status 1" error with no way to understand what happens. I'm running your docker image in a Kali Linux Guest system running on...
When using analyze_local in a container, git commands may error if the repo is owned by a different user. This commonly happens when mounting a directory into the image ```...
**Describe the bug** I have read the [blog post](https://boostsecurity.io/blog/unveiling-poutine-an-open-source-build-pipelines-security-scanner), the README and tried some commands using the docker image. All three seem to disagree about the usage, I have found...
Support CycloneDX and SPDX Looks like SPDX Build Profile is quite ahead on this topic https://docs.google.com/presentation/d/11V7Qg-iyqYRtV7TB6yW7M3MFPkWVVGFo3UxbpCuyecE/edit?resourcekey=0-vlH2T9qHFIvmrdrr6c0ZSQ#slide=id.g194bd5fd766_0_723 https://spdx.dev/learn/areas-of-interest/build/
The current injection sources regex https://github.com/boostsecurityio/poutine/blob/fc3705554da4ac76409248629d6aadb24c7a2302/opa/rego/rules/injection.rego#L19 Is missing various sources, some of which are in `messypoutine` https://github.com/messypoutine/gravy-overflow/blob/main/.github/workflows/level1.yml#L46 Such as `github.event.workflow_run.head_commit.message` In fact looking at semgrep rule there are a few...