From 868dda737975ad51cc125348c1921894623fc107 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Tue, 29 Oct 2024 16:36:42 +0100 Subject: [PATCH 01/14] wip packaging poutine --- scanners/boostsecurityio/poutine/module.yaml | 20 +++++++++++++ scanners/boostsecurityio/poutine/rules.yaml | 30 ++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 scanners/boostsecurityio/poutine/module.yaml create mode 100644 scanners/boostsecurityio/poutine/rules.yaml diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml new file mode 100644 index 00000000..cc139fcc --- /dev/null +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -0,0 +1,20 @@ +api_version: 1.0 + +id: boostsecurityio/poutine +name: BoostSecurity Poutine +namespace: boostsecurityio/Poutine +scan_types: + - sast + +config: + support_diff_scan: true + require_full_repo: true + +steps: + - scan: + command: + docker: + image: ghcr.io/boostsecurityio/poutine:0.15.2@sha256:f706446664a1988c6d33c70b00100442eb3c28eed694a450a50c641b5659c2d8 + command: analyze_local . --format sarif + workdir: /src + format: sarif diff --git a/scanners/boostsecurityio/poutine/rules.yaml b/scanners/boostsecurityio/poutine/rules.yaml new file mode 100644 index 00000000..fcb4c1ca --- /dev/null +++ b/scanners/boostsecurityio/poutine/rules.yaml @@ -0,0 +1,30 @@ +rules: + injection: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - supply-chain-cicd-severe-issues + description: The pipeline contains an injection into bash or JavaScript with an expression that can contain user input. Prefer placing the expression in an environment variable instead of interpolating it directly into a script. + name: injection + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Serialized AI model with malicious behavior + ref: https://boostsecurityio.github.io/poutine/rules/injection/ + recommended: true + untrusted_checkout_exec: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - supply-chain-cicd-severe-issues + description: The workflow appears to checkout untrusted code from a fork and uses a command that is known to allow code execution. + name: untrusted_checkout_exec + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Arbitrary Code Execution from Untrusted Code Changes + ref: https://boostsecurityio.github.io/poutine/rules/untrusted_checkout_exec/ + recommended: true + From d086f8f26c2d8fb94dfbf09ae90002de42f98f8a Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 13 Nov 2024 12:35:47 +0100 Subject: [PATCH 02/14] wip packaging poutine --- scanners/boostsecurityio/poutine/module.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index cc139fcc..15698ced 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -14,7 +14,8 @@ steps: - scan: command: docker: - image: ghcr.io/boostsecurityio/poutine:0.15.2@sha256:f706446664a1988c6d33c70b00100442eb3c28eed694a450a50c641b5659c2d8 - command: analyze_local . --format sarif + image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:f76592a@sha256:77ae9b7a923dced2741ba9bb19f143bc20986454bfa30dece39ef723c5f98bf5 + command: | + -c 'git config --global --add safe.directory /src' workdir: /src format: sarif From 6e422048eaa998338eb0d0f5a1dbc5d5d7b852d2 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 10:55:12 -0400 Subject: [PATCH 03/14] latest image --- scanners/boostsecurityio/poutine/module.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 15698ced..c96a36dd 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -14,8 +14,6 @@ steps: - scan: command: docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:f76592a@sha256:77ae9b7a923dced2741ba9bb19f143bc20986454bfa30dece39ef723c5f98bf5 - command: | - -c 'git config --global --add safe.directory /src' + image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7 workdir: /src format: sarif From 1e8cf4e046a6d9858872f89e0669ebf3e8538b66 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 11:05:03 -0400 Subject: [PATCH 04/14] proper sha not cut --- scanners/boostsecurityio/poutine/module.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index c96a36dd..958c96bd 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -14,6 +14,6 @@ steps: - scan: command: docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7 + image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 workdir: /src format: sarif From 4e492482e447e80419d76968996891ad726379f2 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 11:07:37 -0400 Subject: [PATCH 05/14] command --- scanners/boostsecurityio/poutine/module.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 958c96bd..8e2e4a1a 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -15,5 +15,7 @@ steps: command: docker: image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 + command: | + -c "git config --global --add safe.directory '*'" workdir: /src format: sarif From f38797c6016245aebda59d1d502c0e04fba1fc80 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 11:11:13 -0400 Subject: [PATCH 06/14] command --- scanners/boostsecurityio/poutine/module.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 8e2e4a1a..ce87274f 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -15,7 +15,6 @@ steps: command: docker: image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 - command: | - -c "git config --global --add safe.directory '*'" + command: analyze_local . --format sarif workdir: /src format: sarif From 6846cf01a3974586ca8afff0cc817b644b5491e7 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 11:11:51 -0400 Subject: [PATCH 07/14] command --- scanners/boostsecurityio/poutine/module.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index ce87274f..0461dd5c 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -15,6 +15,6 @@ steps: command: docker: image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 - command: analyze_local . --format sarif + command: poutine analyze_local . --format sarif workdir: /src format: sarif From cfd7fc8b3a6d06ec4b484f44be79728b900587e4 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 11:14:32 -0400 Subject: [PATCH 08/14] command --- scanners/boostsecurityio/poutine/module.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 0461dd5c..11234f57 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -15,6 +15,6 @@ steps: command: docker: image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 - command: poutine analyze_local . --format sarif + command: 'poutine analyze_local . --format sarif' workdir: /src format: sarif From 28424915f9d1b48bb03b98ad0b04a191d8bce898 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 30 Apr 2025 11:18:45 -0400 Subject: [PATCH 09/14] command --- scanners/boostsecurityio/poutine/module.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 11234f57..76508541 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -15,6 +15,7 @@ steps: command: docker: image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 - command: 'poutine analyze_local . --format sarif' + command: | + -c "poutine analyze_local . --format sarif" workdir: /src format: sarif From f2c11285e22a311a4fd8592c8f5593857dcb0c2e Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Wed, 22 Oct 2025 12:35:04 -0500 Subject: [PATCH 10/14] use poutine binary directly --- scanners/boostsecurityio/poutine/module.yaml | 49 ++++++++++++++++++-- 1 file changed, 44 insertions(+), 5 deletions(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 76508541..4465b7ec 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -10,12 +10,51 @@ config: support_diff_scan: true require_full_repo: true +setup: +- name: download poutine + environment: + VERSION: 1.0.1 + LINUX_X86_64_SHA: b140051649515a75a83ec81b7f6569b6f109d732c2d45499058f52a7e23a2923 + LINUX_ARM64_SHA: 285a5141e99f9d03cf011c2bb210eb1dc7bfdf19e0687fdf1fc0cb73e9844f3d + MACOS_X86_64_SHA: 0ec25f5bca92d603bf38196fca90646016a226aefda03e8a9fa401d4167fa1f8 + MACOS_ARM64_SHA: c8d283ebcaaf846a677c5b2f159294b08d74cfe7750936135a8a56586adbb06a + run: | + BINARY_URL="https://github.com/boostsecurityio/poutine/releases/download/v${VERSION}" + ARCH=$(uname -m) + + case "$(uname -sm)" in + "Linux x86_64") + BINARY_URL="${BINARY_URL}/poutine_Linux_x86_64.tar.gz" + SHA="${LINUX_X86_64_SHA} poutine.tgz" + ;; + "Linux aarch64") + BINARY_URL="${BINARY_URL}/poutine_Linux_arm64.tar.gz" + SHA="${LINUX_ARM64_SHA} poutine.tgz" + ;; + "Darwin x86_64") + BINARY_URL="${BINARY_URL}/poutine_Darwin_x86_64.tar.gz" + SHA="${MACOS_X86_64_SHA} poutine.tgz" + ;; + "Darwin arm64") + BINARY_URL="${BINARY_URL}/poutine_Darwin_arm64.tar.gz" + SHA="${MACOS_ARM64_SHA} poutine.tgz" + ;; + *) + echo "Unsupported machine: ${OPTARG}" + exit 1 + ;; + esac + + curl -o poutine.tgz -fsSL "${BINARY_URL}" + echo "${SHA}" | sha256sum --check + + tar --no-same-owner -zxf poutine.tgz poutine + rm poutine.tgz + chmod +x poutine + steps: - scan: command: - docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9 - command: | - -c "poutine analyze_local . --format sarif" - workdir: /src + run: | + $SETUP_PATH/poutine analyze_local . --format sarif format: sarif From 6bc23fa804efc86d61e1966fe4171633175f1c19 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 27 Oct 2025 15:24:24 -0400 Subject: [PATCH 11/14] latest --- scanners/boostsecurityio/poutine/module.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml index 4465b7ec..668eaaac 100644 --- a/scanners/boostsecurityio/poutine/module.yaml +++ b/scanners/boostsecurityio/poutine/module.yaml @@ -13,11 +13,11 @@ config: setup: - name: download poutine environment: - VERSION: 1.0.1 - LINUX_X86_64_SHA: b140051649515a75a83ec81b7f6569b6f109d732c2d45499058f52a7e23a2923 - LINUX_ARM64_SHA: 285a5141e99f9d03cf011c2bb210eb1dc7bfdf19e0687fdf1fc0cb73e9844f3d - MACOS_X86_64_SHA: 0ec25f5bca92d603bf38196fca90646016a226aefda03e8a9fa401d4167fa1f8 - MACOS_ARM64_SHA: c8d283ebcaaf846a677c5b2f159294b08d74cfe7750936135a8a56586adbb06a + VERSION: 1.0.2 + LINUX_X86_64_SHA: f22beeaaecb1ed4ee5a9f8cc0f3fac81c04e7be514024d9519ddc833064b6663 + LINUX_ARM64_SHA: 31dbd4e75cdeae637e604c90cca407c524e0d406c237d81656ad0696ee70188a + MACOS_X86_64_SHA: 2e16f9e262e941089a372f29e3fc93b90fa787f760dee11b3f7decd0f2e997a8 + MACOS_ARM64_SHA: 7b4d2079660ce74a7e439421b481cd906f40c873b5b1b00594f709ced597ed50 run: | BINARY_URL="https://github.com/boostsecurityio/poutine/releases/download/v${VERSION}" ARCH=$(uname -m) From 979bba8727e20cba77d124c90168d6c743e6bce1 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 27 Oct 2025 16:16:25 -0400 Subject: [PATCH 12/14] add CWEs --- scanners/boostsecurityio/poutine/rules.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scanners/boostsecurityio/poutine/rules.yaml b/scanners/boostsecurityio/poutine/rules.yaml index fcb4c1ca..9d897458 100644 --- a/scanners/boostsecurityio/poutine/rules.yaml +++ b/scanners/boostsecurityio/poutine/rules.yaml @@ -1,3 +1,5 @@ +import: +- boostsecurityio/mitre-cwe rules: injection: categories: From 0673fd75cfd7b8dd079397810fb3e583f4909f11 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 27 Oct 2025 16:24:41 -0400 Subject: [PATCH 13/14] wrong pretty name --- scanners/boostsecurityio/poutine/rules.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/poutine/rules.yaml b/scanners/boostsecurityio/poutine/rules.yaml index 9d897458..531e3a2b 100644 --- a/scanners/boostsecurityio/poutine/rules.yaml +++ b/scanners/boostsecurityio/poutine/rules.yaml @@ -12,7 +12,7 @@ rules: description: The pipeline contains an injection into bash or JavaScript with an expression that can contain user input. Prefer placing the expression in an environment variable instead of interpolating it directly into a script. name: injection group: supply-chain-cicd-vulnerable-pipeline - pretty_name: Serialized AI model with malicious behavior + pretty_name: Injection with Arbitrary External Contributor Input ref: https://boostsecurityio.github.io/poutine/rules/injection/ recommended: true untrusted_checkout_exec: From 10d5e782541cbb550cfafd015fa3ff4c6a6b75f9 Mon Sep 17 00:00:00 2001 From: Alexis-Maurer Fortin Date: Mon, 27 Oct 2025 18:07:39 -0400 Subject: [PATCH 14/14] all poutine rules --- scanners/boostsecurityio/poutine/rules.yaml | 155 +++++++++++++++++++- 1 file changed, 154 insertions(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/poutine/rules.yaml b/scanners/boostsecurityio/poutine/rules.yaml index 531e3a2b..9ba866d3 100644 --- a/scanners/boostsecurityio/poutine/rules.yaml +++ b/scanners/boostsecurityio/poutine/rules.yaml @@ -1,11 +1,14 @@ import: -- boostsecurityio/mitre-cwe + - boostsecurityio/mitre-cwe + - boostsecurityio/sbom-sca rules: injection: categories: - ALL - boost-baseline - boost-hardened + - cwe-77 + - cwe-94 - supply-chain - supply-chain-cicd-vulnerable-pipeline - supply-chain-cicd-severe-issues @@ -20,6 +23,7 @@ rules: - ALL - boost-baseline - boost-hardened + - cwe-829 - supply-chain - supply-chain-cicd-vulnerable-pipeline - supply-chain-cicd-severe-issues @@ -29,4 +33,153 @@ rules: pretty_name: Arbitrary Code Execution from Untrusted Code Changes ref: https://boostsecurityio.github.io/poutine/rules/untrusted_checkout_exec/ recommended: true + debug_enabled: + categories: + - ALL + - boost-baseline + - boost-hardened + - cwe-532 + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: The workflow is configured to increase the verbosity of the runner. This can potentially expose sensitive information. + name: debug_enabled + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: CI Runner Debug Enabled + ref: https://boostsecurityio.github.io/poutine/rules/debug_enabled/ + recommended: true + known_vulnerability_in_build_component: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - vulnerable-and-outdated-components + description: The workflow or action depends on a GitHub Action with known vulnerabilities. + name: known_vulnerability_in_build_component + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Build Component with a Known Vulnerability used + ref: https://boostsecurityio.github.io/poutine/rules/known_vulnerability_in_build_component/ + recommended: true + confused_deputy_auto_merge: + categories: + - ALL + - boost-baseline + - boost-hardened + - cwe-863 + - cwe-441 + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: Confused Deputy for GitHub Actions is a situation where a GitHub event attribute (ex. github.actor) is used to check the last interaction of a certain event. This allows an attacker abuse an event triggered by a Bot (ex. @dependabot recreate) and trigger as a side effect other privileged workflows, which may for instance automatically merge unapproved changes. + name: confused_deputy_auto_merge + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Confused Deputy Auto-Merge + ref: https://boostsecurityio.github.io/poutine/rules/confused_deputy_auto_merge/ + recommended: true + default_permissions_on_risky_events: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: The workflow and some of its jobs do not explicitly define permissions and the workflow triggers on events that are typically used to run builds from forks. Because no permissions is set, the workflow inherits the default permissions configured on the repository or the organization. + name: default_permissions_on_risky_events + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Default permissions used on risky events + ref: https://boostsecurityio.github.io/poutine/rules/default_permissions_on_risky_events/ + recommended: true + github_action_from_unverified_creator_used: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: Usage of the following GitHub Actions repositories was detected in workflows or composite actions, but their owner is not a verified creator. + name: github_action_from_unverified_creator_used + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Github Action from Unverified Creator used + ref: https://boostsecurityio.github.io/poutine/rules/github_action_from_unverified_creator_used/ + recommended: true + if_always_true: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: GitHub Actions expressions used in if condition of jobs or steps must not contain extra characters or spaces. Otherwise, the condition is always true. + name: if_always_true + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: If condition always evaluates to true + ref: https://boostsecurityio.github.io/poutine/rules/if_always_true/ + recommended: true + job_all_secrets: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: The GitHub Actions Runner attempts to keep in memory only the secrets that are necessary to execute a workflow job. If a job converts the secrets object to JSON or accesses it using an expression, all secrets will be retained in memory for the duration of the job. + name: job_all_secrets + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Workflow job exposes all secrets + ref: https://boostsecurityio.github.io/poutine/rules/job_all_secrets/ + recommended: true + known_vulnerability_in_build_platform: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + - vulnerable-and-outdated-components + description: The build or SCM provider used has a known vulnerability. + name: known_vulnerability_in_build_platform + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Build Platform with a Known Vulnerability used + ref: https://boostsecurityio.github.io/poutine/rules/known_vulnerability_in_build_platform/ + recommended: true + pr_runs_on_self_hosted: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: This job runs on a self-hosted GitHub Actions runner in a workflow that is triggered by a pull request event. + name: pr_runs_on_self_hosted + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Pull Request Runs on Self-Hosted GitHub Actions Runner + ref: https://boostsecurityio.github.io/poutine/rules/pr_runs_on_self_hosted/ + recommended: true + unpinnable_action: + categories: + - ALL + - boost-baseline + - boost-hardened + - cwe-494 + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: Pinning this GitHub Action is likely ineffective as it depends on other mutable supply chain components. + name: unpinnable_action + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Unpinnable CI component used + ref: https://boostsecurityio.github.io/poutine/rules/unpinnable_action/ + recommended: true + unverified_script_exec: + categories: + - ALL + - boost-baseline + - boost-hardened + - supply-chain + - supply-chain-cicd-vulnerable-pipeline + description: The pipeline executes a script or binary fetched from a remote server without verifying its integrity. + name: unverified_script_exec + group: supply-chain-cicd-vulnerable-pipeline + pretty_name: Unverified Script Execution + ref: https://boostsecurityio.github.io/poutine/rules/unverified_script_exec/ + recommended: true