v0.18.0

Changelog for poutine v0.18.0 🎉

We're delighted to roll out poutine v0.18.0! This release is packed adds some cool new rule and small enhancements.

Major New Rule 🌟🌟

• 🛡️ New Confused Deputy Auto-Merge Rule: Introduced a new security rule to detect potential Confused Deputy vulnerabilities related to auto-merge workflows, contributed by @fproulx-boostsecurity. (#304)
• Checkout the rule's documentation
• And read the blog article to learn more about this vulnerability class.

Improvements 🔧

• ✨ CLI and Config File include Option: You can now specify an include option in both the CLI and configuration file for more granular control over scanned paths, introduced by @Talgarr. (#289)
• 🏃 Support for Large Ubuntu and Windows Runners: Added capability to utilize larger GitHub-hosted runners for Ubuntu and Windows, enhancing CI flexibility, by @Talgarr. (#293)
• ⚙️ GitHub Actions Strategy Matrix Parsing: Enhanced parsing capabilities for GitHub Actions strategy matrices, implemented by @SUSTAPLE117. This PR also includes various dependency updates. (#301)
• 🛠️ Core Refactoring: Significant refactoring of internal components for improved maintainability and performance, by @Talgarr. (#291)
• 🧩 Enhanced Extensibility: Exported additional fields to simplify the development of extensions and integrations with poutine, thanks to @Talgarr. (#292)
• 📢 Clearer Git Ref Error Reporting: Implemented more specific error messages when a Git reference is unreachable, improving debuggability, by @SUSTAPLE117. (#302)
• 📝 README Typo Correction: Fixed a typo in the README documentation (--scm-base-uri to --scm-base-url), thanks to @natcl. (#303)

Dependency Updates ⬆️

GitHub Actions

• Updated actions/dependency-review-action from 4.5.0 to 4.6.0. (#294)
• Updated sigstore/cosign-installer from 3.7.0 to 3.8.2. (#295)
• Updated actions/upload-artifact from 4.6.0 to 4.6.2. (#296)
• Updated actions/setup-go from 5.3.0 to 5.4.0. (#297)
• Updated github/codeql-action from 3.28.13 to 3.28.16. (#298)

New Contributors 👋

• Welcome @natcl, who made their first contribution by fixing a typo in our README (#303)! We appreciate your attention to detail!

Full Changelog 📜

For a detailed view of all changes, see the full changelog.

v0.17.0

Changelog for poutine v0.17.0 🎉🎂

Happy 1st Anniversary to poutine! We're thrilled to mark this milestone with a significant release packed with new capabilities and improvements.

New Features 🌟

• 🚀 Groundbreaking Stale Branch Analysis: Introduced by @Talgarr, newest full time member of our Security Research team, this highly efficient stale branches scanner helps uncover potentially exploitable pull_request_target vulnerabilities lurking in forgotten branches, even if they've been patched in the default branch. (#285)
• Enhanced LOTP Analysis: Added support for many more Living Off The Pipeline (LOTP) tools, contributed by @Talgarr. (#286)

Improvements 🔧

• Optimized Skip Rule Logic: Refined the logic for skipping rules during analysis for better performance and accuracy. (#287)
• Linter Migration: Completed migration to a new linter setup as part of ongoing code quality efforts. (#284)

Dependency Updates ⬆️

GitHub Actions

• Updated ossf/scorecard-action from v2.4.0 to v2.4.1. (#268)
• Updated step-security/harden-runner from v2.10.4 to v2.11.0. (#270)
• Updated github/codeql-action from v3.28.8 to v3.28.13. (#281)
• Updated goreleaser/goreleaser-action from v6.1.0 to v6.3.0. (#282)

Go Libraries

• Updated Go language version to 1.24. (#284)
• Updated github.com/spf13/cobra from v1.8.1 to v1.9.1. (#275)
• Updated github.com/open-policy-agent/opa from v1.1.0 to v1.3.0. (#277)
• General dependency updates. (#284)

New Contributors 👋

• Welcome @Talgarr from our Security Research team, making their first direct code contribution to the poutine repository (#285)! @Talgarr has been a major contributor to the related LOTP project, significantly influencing rule improvements in this release.

Full Changelog 📜

For a detailed view of all changes, see the full changelog.

v0.16.1

Changelog for poutine v0.16.1 🚀

New Features 🌟

• Additional Untrusted Execution Commands: Introduced new code execution commands for untrusted checkout, broadening the supported rules. (#248)

Improvements 🔧

• Enhanced Untrusted Command List: Sorted the untrusted command list and added support for OpenTofu and Maven. (#254)
• Default Git Branch for Local Analysis: Set a default Git branch for analyze_local to improve reliability. (#266)

Dependency Updates ⬆️

GitHub Actions

• Updated actions/dependency-review-action from v4.4.0 to v4.5.0. (#238)
• Updated sigstore/cosign-installer from v3.6.0 to v3.7.0. (#237)
• Updated step-security/harden-runner from v2.10.1 to v2.10.4. (#236, #259)
• Updated github/codeql-action from v3.27.0 to v3.28.8. (#235, #250, #256)
• Updated actions/setup-go from v5.0.2 to v5.3.0. (#234, #257)
• Updated actions/upload-artifact from v4.4.3 to v4.6.0. (#251, #258)

Go Libraries

• Updated github.com/schollz/progressbar/v3 from v3.17.0 to v3.17.1. (#243)
• Updated golang.org/x/oauth2 from v0.23.0 to v0.24.0. (#241)
• Updated github.com/xanzy/go-gitlab from v0.112.0 to v0.114.0 and switched to its new import path. (#239, #246)
• Updated github.com/stretchr/testify from v1.9.0 to v1.10.0. (#240)
• Updated golang.org/x/sync from v0.8.0 to v0.10.0. (#244)
• Updated github.com/open-policy-agent/opa to v1.0.0 with migration support. (#265)

Other Changes ✨

• Linter Integration: Added a new linter to help maintain code quality. (#264)

Full Changelog 📜

For a detailed diff, see the full changelog.

v0.16.0

Changelog for poutine v0.16.0 🚀

New Features 🌟

• Finding Metadata Enhancements: Included event_triggers in findings metadata for better insights into triggering events. (#233)

Improvements 🔧

• Inventory Scanner Refactoring: Refactored the inventory scanner for improved efficiency and maintainability. (#230)
• Local Actions Resolution: Enhanced handling for resolving repository-local GitHub Actions. (#213)

Dependency Updates ⬆️

• GitHub Actions:
  • Updated github/codeql-action from v3.26.10 to v3.27.0. (#229)
  • Updated actions/checkout from v4.2.0 to v4.2.2. (#228)
  • Updated actions/upload-artifact from v4.4.0 to v4.4.3. (#227)
  • Updated actions/dependency-review-action from v4.3.4 to v4.4.0. (#226)
• Go Libraries:
  • Updated github.com/open-policy-agent/opa from v0.69.0 to v0.70.0. (#225)
  • Updated github.com/schollz/progressbar/v3 from v3.16.1 to v3.17.0. (#224)
  • Updated github.com/xanzy/go-gitlab from v0.110.0 to v0.112.0. (#223)

Other Changes ✨

• Bump Goreleaser: Upgraded Goreleaser to V2 for improved release workflows. (#231)

New Contributors 🤝

• Welcome @bthuilot for their first contribution! (#233)

Full Changelog 📜

For a detailed diff, see the full changelog.

v0.15.2

Changelog for poutine v0.15.2 🚀

Improvements 🔧

• GitHub Native Changelog Formatting: Updated changelog generation to follow GitHub's native format, enhancing readability and consistency. (#208)
• Gracefully Skip Empty Repositories: Improved handling to skip over empty repositories without errors during analysis. (#209)
• Poutine Build Platform Advisories: Added platform-specific advisories to the build process, providing more tailored insights. (#221)
• Git Error Handling Improvements: Enhanced error handling in Git, including resilience during local analysis to allow scanning of folders that are not git repositories. (#222)

Security Updates 🔒

• Update osv.rego with New GHA CVE: Integrated the latest GitHub Actions CVE from the OSV database for more comprehensive vulnerability scanning. (#210)
• CVE Database Update: Refreshed CVE database with the latest entries to maintain up-to-date security checks. (#211)

Dependency Updates 📦

• sigstore/cosign-installer: Bumped cosign-installer from v3.5.0 to v3.6.0 for enhanced functionality. (#200)
• actions/upload-artifact: Updated to v4.4.0 for improved artifact handling in GitHub Actions. (#201)
• ossf/scorecard-action: Upgraded to v2.4.0 for the latest enhancements in scorecard assessments. (#202)
• Go 1.23 Update: Updated to Go v1.23 as part of general dependency and compatibility improvements. (#220)
• actions/checkout: Increased to v4.2.0 for streamlined workflows. (#217)
• step-security/harden-runner: Upgraded to v2.10.1 to strengthen security in CI workflows. (#216)
• github/codeql-action: Updated to v3.26.10 for more effective code scanning capabilities. (#215)

Full Changelog 📜

For a detailed diff of all changes, see the full changelog.

v0.15.1

Changelog for poutine v0.15.1 🚀

Improvements 🔧

• GitHub Actions Parsing: Adjusted how GitHub Actions are parsed for improved accuracy and functionality. (#192)
• Repo Metadata: Enhanced repository metadata handling for better data management and insights. (#193)
• Pipelines As Code Documentation: Added documentation for Pipelines As Code to help developers integrate and understand the new feature. (#188)

Bug Fixes 🐛

• Fix Analyze Org Data Race: Resolved a data race issue in the organization data analysis feature to improve stability. (#198)
• GitHub Client URL Handling: Fixed an issue where the GitHub client did not respect the --scm-base-url flag. (#189)
• URL Resolution with Base URL: Resolved an issue where URL finding did not correctly use the --scm-base-url. (#196)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.15.0

Changelog for poutine v0.15.0 🚀

New Features 🌟

• Tekton (Pipeline as Code): Added support for Tekton pipelines (Pipeline as Code). (#174)

Improvements 🔧

• SARIF Report Version: Added actual version in SARIF report for better accuracy and tracking. (#173)

Dependency Updates ⬆️

• Upload Artifact Action: Bumped actions/upload-artifact from 4.3.3 to 4.3.4 for enhanced artifact handling. (#183)
• Dependency Review Action: Updated actions/dependency-review-action from 4.3.3 to 4.3.4 for improved dependency analysis. (#182)
• CodeQL Action: Bumped github/codeql-action from 3.25.11 to 3.25.15 for better code analysis. (#181)
• Setup Go Action: Updated actions/setup-go from 5.0.1 to 5.0.2 for better Go environment setup. (#180)
• GitLab Client: Bumped github.com/xanzy/go-gitlab from 0.106.0 to 0.107.0 for improved GitLab API interactions. (#179)
• SARIF Library: Updated github.com/owenrumney/go-sarif/v2 from 2.3.1 to 2.3.3 for enhanced SARIF report handling. (#178)
• Progress Bar: Bumped github.com/schollz/progressbar/v3 from 3.14.4 to 3.14.5 to improve progress tracking. (#177)
• Open Policy Agent: Updated github.com/open-policy-agent/opa from 0.66.0 to 0.67.0 for better policy management. (#176)
• Viper: Bumped github.com/spf13/viper from 1.18.2 to 1.19.0 for improved configuration management. (#175)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.14.0

Changelog for poutine v0.14.0 🚀

Also 😁

• Updated GitHub Action to run latest version of poutine (https://github.com/marketplace/actions/poutine-github-actions-sast)

New Features 🌟

• Azure DevOps Pipeline Support: Added full support for Azure DevOps Pipelines, including ADO Debug mode and "pwn request" detection, expanding the compatibility of poutine with various CI/CD platforms. (#160, #168, #169, #170)

Improvements 🔧

• CVE Detection Enhancement: Improved GitHub Enterprise / Self-hosted GitLab CVE detection, including updates to the Build Platform CVE Database. (#140, #166)
• Rules Configuration: Introduced rules configuration for pr_runs_on_self_hosted, providing more control over pull request executions on self-hosted runners. (#159)
• Dagger Module: Introduced a new Dagger module for improved build and deployment workflows. (#154)
• Version Handling: Readded version flags for GoReleaser to enhance the release process. (#153)
• Analyze Command: Updated the analyze command to set PURL version with the provided reference for more accurate analysis. (#152)
• Simplified Repo Parsing: Simplified the process of parsing repository files to improve efficiency and reliability. (#167)

Dependency Updates ⬆️

• Open Policy Agent: Bumped github.com/open-policy-agent/opa from 0.65.0 to 0.66.0 for improved policy management. (#150)
• OAuth2: Updated golang.org/x/oauth2 from 0.20.0 to 0.21.0 for better authentication support. (#149)
• Progress Bar: Bumped github.com/schollz/progressbar/v3 from 3.14.3 to 3.14.4 to enhance progress tracking. (#147)
• Dependency Review Action: Updated actions/dependency-review-action from 4.3.2 to 4.3.3 for enhanced dependency analysis. (#145)
• Harden Runner: Bumped step-security/harden-runner from 2.7.1 to 2.8.1 for improved security during GitHub Actions. (#144)
• Checkout Action: Updated actions/checkout from 4.1.4 to 4.1.7 for better repository access in workflows. (#142)
• CodeQL Action: Bumped github/codeql-action from 3.25.7 to 3.25.11 for enhanced code analysis. (#141)
• GitLab Client: Updated github.com/xanzy/go-gitlab from 0.105.0 to 0.106.0 for improved GitLab API interactions. (#148)

Release Process Changes 🔧

• Dockerfile Addition: Added a Dockerfile and upgraded the Git image to streamline the containerization process. (#139)
• MAINTAINERS.md Update: Removed @becojo from the MAINTAINERS.md file. (#162) 😢 😭 👋

Contributions 🤝

• Thanks to all contributors for continuing to improve poutine, ensuring it remains a robust tool for securing CI pipelines.

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.13.0

Changelog for poutine v0.13.0 🚀

Fixes 🛠️

• Fixes crash when running without config: (#138)

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.

v0.12.0

Changelog for poutine v0.12.0 🚀

New Features 🌟

• Quiet Mode: Added a new --quiet option to minimize output verbosity during scans, helping streamline outputs for automated processes. (#134)
• Security Rule: Introduced the unverified_script_exec rule to detect potentially unsafe script executions in CI environments. (#129)

Improvements 🔧

• Custom References: Enhanced the analyze_repo command to accept custom references, enabling more precise analysis across different repo states. (#131)
• Homebrew Integration: Updated documentation to refer to the new Homebrew core formula, simplifying installation processes. (#124)
• Open Policy Agent (OPA): Exposed new JSON marshalling options in OPA, enhancing flexibility in policy definitions. (#133)

Fixes 🛠️

• Dependency Handling: Improved error avoidance by preventing a second Rego compilation during JSON format operations. (#132)

Dependency Updates ⬆️

• Retryable HTTP: Bumped github.com/hashicorp/go-retryablehttp to leverage enhancements in retry logic and error handling. (#135)

Release process changes 🔧

• Release Process: Updated .goreleaser.yaml and removed reference to local tap. (#136), (#128)

Contributions 🤝

• Thanks to all contributors for continuing to improve poutine, ensuring it remains a robust tool for securing CI pipelines.

Full Changelog 📜

For a detailed diff of everything new and updated, see the full changelog.