poutine icon indicating copy to clipboard operation
poutine copied to clipboard
verified publisher icon boostsecurityio

README/help/blog post discrepancies

Open AppSecAmael opened this issue 1 year ago • 0 comments

Describe the bug I have read the blog post, the README and tried some commands using the docker image. All three seem to disagree about the usage, I have found several ways that don't work but I have not found yet how to make it work.

  1. Argument order The project README file gives several example commands :
  • docker run -e GH_TOKEN ghcr.io/boostsecurityio/poutine:latest
  • poutine [command] [arguments] [options]
  • poutine analyze_org my-org/project --token "$GL_TOKEN" --scm gitlab --scm-base-uri https://gitlab.example.com

But when running the tool everything seems in a different order :

Usage:
  poutine [options] <command> [<args>]

Commands:
  analyze_org <org>
  analyze_repo <org>/<repo>
  analyze_local <path>

Options:
  -format string
    	Output format (pretty, json, sarif) (default "pretty")
  -scm string
    	SCM platform (github, gitlab) (default "github")
  -scm-base-url string
    	Base URI of the self-hosted SCM instance (optional)
  -threads int
    	Parallelization factor for scanning organizations (default 2)
  -token string
    	SCM access token (required for the commands analyze_org, analyze_repo) (env: GH_TOKEN)
  -verbose
    	Enable verbose logging

=> Options is now in first position

  1. All option flags have a single dash in the help VS a double-dash in the README.

  2. The blog post also refers to an option to analyze all projects in a self-hosted Gitlab instance, but this option seems to be unavailable in the binary :

Analyze all projects in a self-hosted Gitlab instance
$ poutine -token "$GL_TOKEN" -scm gitlab -scm-base-uri https://example.com org/repo
  1. There's no source specifying what format the Gitlab Token should have (I guess user:token ?)

To Reproduce Steps to reproduce the behavior: docker run -it ghcr.io/boostsecurityio/poutine:latest -token "$GL_TOKEN" -scm gitlab -scm-base-url gitlab.example.com

Expected behavior A clear and concise description of how to use the tool, consistent across the help, README and other blog posts.

Desktop (please complete the following information):

  • OS: Kali Linux
  • Browser : whatever

AppSecAmael avatar May 13 '24 12:05 AppSecAmael