poutine: Find Supply Chain Vulnerabilities Fast

poutine

Created by BoostSecurity.io, poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD. When given an access token with read-level access, poutine can analyze all the repositories of an organization to quickly gain insights into the security posture of the organization’s software supply chain.

How does it work?

You first need to install the CLI locally or configure it as part of your CI/CD itself. Then, you will need an authentication token, which we recommend you scope down using fine-grained personal access tokens (PATs) to the minimum set of permissions required (i.e. read-only access to repository contents) and visibility (i.e. Public and/or Private repositories). You can target a single Git repository (remote or local) or an entire GitHub (or Gitlab) organization and the tool will fetch the list of repositories and scan them in parallel.

The tool was designed to perform a shallow and sparse Git checkout of only the relevant files (namely YAML) which means it is amazingly efficient, even on large Git repositories, and thus can typically churn through organizations containing hundreds of large repositories in a handful of minutes.

Install & Use

Copyright © 2024 boostsecurityio