v0.14.0

Changelog for poutine v0.14.0 🚀

Also 😁

• Updated GitHub Action to run latest version of poutine (https://github.com/marketplace/actions/poutine-github-actions-sast)

New Features 🌟

• Azure DevOps Pipeline Support: Added full support for Azure DevOps Pipelines, including ADO Debug mode and "pwn request" detection, expanding the compatibility of poutine with various CI/CD platforms. (#160, #168, #169, #170)

Improvements 🔧

• CVE Detection Enhancement: Improved GitHub Enterprise / Self-hosted GitLab CVE detection, including updates to the Build Platform CVE Database. (#140, #166)
• Rules Configuration: Introduced rules configuration for pr_runs_on_self_hosted, providing more control over pull request executions on self-hosted runners. (#159)
• Dagger Module: Introduced a new Dagger module for improved build and deployment workflows. (#154)
• Version Handling: Readded version flags for GoReleaser to enhance the release process. (#153)
• Analyze Command: Updated the analyze command to set PURL version with the provided reference for more accurate analysis. (#152)
• Simplified Repo Parsing: Simplified the process of parsing repository files to improve efficiency and reliability. (#167)

Dependency Updates ⬆️

• Open Policy Agent: Bumped github.com/open-policy-agent/opa from 0.65.0 to 0.66.0 for improved policy management. (#150)
• OAuth2: Updated golang.org/x/oauth2 from 0.20.0 to 0.21.0 for better authentication support. (#149)
• Progress Bar: Bumped github.com/schollz/progressbar/v3 from 3.14.3 to 3.14.4 to enhance progress tracking. (#147)
• Dependency Review Action: Updated actions/dependency-review-action from 4.3.2 to 4.3.3 for enhanced dependency analysis. (#145)
• Harden Runner: Bumped step-security/harden-runner from 2.7.1 to 2.8.1 for improved security during GitHub Actions. (#144)
• Checkout Action: Updated actions/checkout from 4.1.4 to 4.1.7 for better repository access in workflows. (#142)
• CodeQL Action: Bumped github/codeql-action from 3.25.7 to 3.25.11 for enhanced code analysis. (#141)
• GitLab Client: Updated github.com/xanzy/go-gitlab from 0.105.0 to 0.106.0 for improved GitLab API interactions. (#148)

Release Process Changes 🔧

• Dockerfile Addition: Added a Dockerfile and upgraded the Git image to streamline the containerization process. (#139)
• MAINTAINERS.md Update: Removed @becojo from the MAINTAINERS.md file. (#162) 😢 😭 👋

Contributions 🤝

• Thanks to all contributors for continuing to improve poutine, ensuring it remains a robust tool for securing CI pipelines.

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.13.0

Changelog for poutine v0.13.0 🚀

Fixes 🛠️

• Fixes crash when running without config: (#138)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.12.0

Changelog for poutine v0.12.0 🚀

New Features 🌟

• Quiet Mode: Added a new --quiet option to minimize output verbosity during scans, helping streamline outputs for automated processes. (#134)
• Security Rule: Introduced the unverified_script_exec rule to detect potentially unsafe script executions in CI environments. (#129)

Improvements 🔧

• Custom References: Enhanced the analyze_repo command to accept custom references, enabling more precise analysis across different repo states. (#131)
• Homebrew Integration: Updated documentation to refer to the new Homebrew core formula, simplifying installation processes. (#124)
• Open Policy Agent (OPA): Exposed new JSON marshalling options in OPA, enhancing flexibility in policy definitions. (#133)

Fixes 🛠️

• Dependency Handling: Improved error avoidance by preventing a second Rego compilation during JSON format operations. (#132)

Dependency Updates ⬆️

• Retryable HTTP: Bumped github.com/hashicorp/go-retryablehttp to leverage enhancements in retry logic and error handling. (#135)

Release process changes 🔧

• Release Process: Updated .goreleaser.yaml and removed reference to local tap. (#136), (#128)

Contributions 🤝

• Thanks to all contributors for continuing to improve poutine, ensuring it remains a robust tool for securing CI pipelines.

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.11.0

Changelog for poutine v0.11.0 🚀

New Features 🌟

• GitHub Actions Security: Added detection for the usage of GitHub Actions debug variables. (#88)
• Vulnerability Scanning: Introduced provider-level vulnerability scanning. A draft version of Gitlab on-premise / GitHub Enterprise CVE checks. (#90)
• GitHub Pages Documentation: Launched Hugo geekdoc theme and added rendering and deployment for GitHub Pages documentation. Documentation can be found at https://boostsecurityio.github.io/poutine/ (#91, #92)

Improvements 🔧

• Enhanced --scm-base-url option to be more robust, more lenient to different formats. (#95)
• Updated GitHub Action workflow configurations for improved path handling. (#96)
• Improved documentation links to point to GitHub Pages and updated README. (#97, #103)
• Enhanced enumeration in GetOrgRepos for more accurate GitHub organization repository listings. (#118)

Fixes 🛠️

• Improved version range detection in CVE database. (#116)
• Fixed issues with debug_enabled flag on steps and improved error handling. (#117)
• Various improvements to Git error handling, including trimming whitespace and redacting tokens in errors. (#120, #121)

Dependency Updates ⬆️

• Multiple dependencies have been updated to their latest versions, improving security and stability:
  • Actions and GitHub Integrations: Updated actions/create-github-app-token, actions/setup-go, goreleaser/goreleaser-action, github/codeql-action, and more. (PRs #104 to #108)
  • Go Libraries: Updated github.com/rs/zerolog, github.com/package-url/packageurl-go, github.com/hashicorp/go-version, github.com/schollz/progressbar/v3, github.com/open-policy-agent/opa, and others. (PRs #109 to #113, #111)

Contributions 🤝

• Welcome to new contributors @ledo01 and @rgmz for their first contributions! (#95, #103)

Full Changelog 📜

For a detailed diff, see the full changelog.

v0.10.1

Changelog

• ccbd195 Fix Gitlab Scanning and Fork Ignore (#84)
• 6f6f4e4 change var names to match buildflags set by goreleaser (#81)
• 8aff818 gitlab: fix parsing error on scalar includes (#86)

v0.10.0

Warning this feature has breaking changes in the CLI arguments.

New features

• version command (commit)
• Allow for configuration of OPA rules (#60)
• Add CLI flag for configuration file (#61)
• Add support for new attestations permissions (#62)
• BREAKING CHANGE : Switch to Cobra / Viper for CLI parsing (#65) -- See notes
• Allow loading optional Rego rules (#66)
• Support untrusted code checkout exec with workflow_run (#68)
• Add option to filter forks (--ignore-forks) (#73)

Bug fixes

• fixed handling of environment names in GitHub Actions workflows (#56)
• add debug logs on workflow parsing errors (#59)
• Fix verbose logging (#67)
• Hard fail with no repo returned - handles cases where you make a typo in org name (#79 , #80 )

Chores

• Updated various GitHub Actions and other dependencies
• Avoid using caches with setup-go

Changelog

• 9ae3527 Add Filter Out Forks For Analyze Org (#73)
• c1a275a Add Version Command
• 7ea7e88 Bump actions/checkout from 4.1.1 to 4.1.4 (#42)
• dae4c74 Bump actions/dependency-review-action from 2.5.1 to 4.3.2 (#43)
• a5446f0 Bump actions/upload-artifact from 3.1.3 to 4.3.3 (#46)
• eeacf8c Bump github.com/open-policy-agent/opa from 0.63.0 to 0.64.1 (#48)
• 8d2db62 Bump github/codeql-action from 2.24.10 to 3.25.3 (#45)
• 28464c0 Bump step-security/harden-runner from 2.7.0 to 2.7.1 (#44)
• e096b80 Error out when we encounter an organization with no repos present. That could indicate improper auth or a typo in the org name. Added skipping of printing the results if no findings are present (#79)
• 1db7a09 Opa config (#60)
• 05f27f2 Update release.yml (#72)
• a7fa79b [Breaking Changes] Switch to Use Cobra/Viper for CLI and Config Handling (#64)
• cb6ce21 add cli flag for config file path (#61)
• 41dc64c add debug logs on workflow parsing errors (#59)
• e0d6048 add github actions attestations scope to write-all (#62)
• 3b4b230 adding ignore-forks flag example and config file (#77)
• 140abab fix: ensure CLI args don't equal to legacyFlag (#66)
• 28572a4 fix: github actions handle string environment name (#56)
• 3b7e231 fix: verbose log level (#67)
• 49a9cf9 load additional Rego files (#65)
• 1e23b68 only the pretty formatter should skip outputing (#80)
• 279c380 untrusted_checkout_exec: consider workflow_run triggered from PRs (#68)
• fc37055 use viper.SetConfigName (#69)

v0.9.12

New features

• Add support for reusable workflows in Build inventory

Bug fixes

• poutine analyze_local cannot be used without internet access.

Pull requests

• 55f55d8 Fix Analyze Local Requires Internet (#37)
• bb23d51 add reusable workflows to the build inventory (#36)

Full Changelog: v0.9.12...v0.9.12

v0.9.11

Fixes

• Bug fix on self-hosted runner rule to include new macos14 runners

Changelog

• 7a3740b Add OSSF Scorecard + Best Practices badges (#33)
• efc8749 Improving OSSF Scorecard score - Part 1 (#32)
• 51c7839 Update README.md to include our own GitHub Action (#28)
• f7fed9f adjust self-hosted runner regex (#29)
• 9ece535 chore: add TestJobUsesSelfHostedRunner (#31)

v0.9.10

Changelog

• 9cd49ec adjust sarif for github (#27)

v0.9.9

Changelog

• d668525 Add GitHub Action and self-test (#14)
• dd8c68f Remove in-repo GitHub Action (#25)
• eb79bca Update action.yml (#24)
• 0a67b9c fix untrusted_checkout_exec line numbers (#26)