From 4fb75ef540a66fd36366538db30062fdc4024a49 Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Tue, 29 Oct 2024 16:36:42 +0100
Subject: [PATCH 1/9] wip packaging poutine

---
 scanners/boostsecurityio/poutine/module.yaml | 20 +++++++++++++
 scanners/boostsecurityio/poutine/rules.yaml  | 30 ++++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 scanners/boostsecurityio/poutine/module.yaml
 create mode 100644 scanners/boostsecurityio/poutine/rules.yaml

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
new file mode 100644
index 00000000..cc139fcc
--- /dev/null
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -0,0 +1,20 @@
+api_version: 1.0
+
+id: boostsecurityio/poutine
+name: BoostSecurity Poutine
+namespace: boostsecurityio/Poutine
+scan_types:
+  - sast
+
+config:
+  support_diff_scan: true
+  require_full_repo: true
+
+steps:
+  - scan:
+      command:
+        docker:
+          image: ghcr.io/boostsecurityio/poutine:0.15.2@sha256:f706446664a1988c6d33c70b00100442eb3c28eed694a450a50c641b5659c2d8
+          command: analyze_local . --format sarif
+          workdir: /src
+      format: sarif
diff --git a/scanners/boostsecurityio/poutine/rules.yaml b/scanners/boostsecurityio/poutine/rules.yaml
new file mode 100644
index 00000000..fcb4c1ca
--- /dev/null
+++ b/scanners/boostsecurityio/poutine/rules.yaml
@@ -0,0 +1,30 @@
+rules:
+  injection:
+    categories:
+    - ALL
+    - boost-baseline
+    - boost-hardened
+    - supply-chain
+    - supply-chain-cicd-vulnerable-pipeline
+    - supply-chain-cicd-severe-issues
+    description: The pipeline contains an injection into bash or JavaScript with an expression that can contain user input. Prefer placing the expression in an environment variable instead of interpolating it directly into a script.
+    name: injection
+    group: supply-chain-cicd-vulnerable-pipeline
+    pretty_name: Serialized AI model with malicious behavior
+    ref: https://boostsecurityio.github.io/poutine/rules/injection/
+    recommended: true
+  untrusted_checkout_exec:
+    categories:
+    - ALL
+    - boost-baseline
+    - boost-hardened
+    - supply-chain
+    - supply-chain-cicd-vulnerable-pipeline
+    - supply-chain-cicd-severe-issues
+    description: The workflow appears to checkout untrusted code from a fork and uses a command that is known to allow code execution.
+    name: untrusted_checkout_exec
+    group: supply-chain-cicd-vulnerable-pipeline
+    pretty_name: Arbitrary Code Execution from Untrusted Code Changes
+    ref: https://boostsecurityio.github.io/poutine/rules/untrusted_checkout_exec/
+    recommended: true
+

From 3adf536649e8b7e9b831434b0805e7ab4e39a3d1 Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 13 Nov 2024 12:35:47 +0100
Subject: [PATCH 2/9] wip packaging poutine

---
 scanners/boostsecurityio/poutine/module.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index cc139fcc..15698ced 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -14,7 +14,8 @@ steps:
   - scan:
       command:
         docker:
-          image: ghcr.io/boostsecurityio/poutine:0.15.2@sha256:f706446664a1988c6d33c70b00100442eb3c28eed694a450a50c641b5659c2d8
-          command: analyze_local . --format sarif
+          image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:f76592a@sha256:77ae9b7a923dced2741ba9bb19f143bc20986454bfa30dece39ef723c5f98bf5
+          command: | 
+              -c 'git config --global --add safe.directory /src'
           workdir: /src
       format: sarif

From 70e5399f365cac5f36c9540188df2d97b5520155 Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 10:55:12 -0400
Subject: [PATCH 3/9] latest image

---
 scanners/boostsecurityio/poutine/module.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index 15698ced..c96a36dd 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -14,8 +14,6 @@ steps:
   - scan:
       command:
         docker:
-          image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:f76592a@sha256:77ae9b7a923dced2741ba9bb19f143bc20986454bfa30dece39ef723c5f98bf5
-          command: | 
-              -c 'git config --global --add safe.directory /src'
+          image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7
           workdir: /src
       format: sarif

From 334db0c152eca78a4b1a9b52662b9096b5439cf0 Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 11:05:03 -0400
Subject: [PATCH 4/9] proper sha not cut

---
 scanners/boostsecurityio/poutine/module.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index c96a36dd..958c96bd 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -14,6 +14,6 @@ steps:
   - scan:
       command:
         docker:
-          image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7
+          image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
           workdir: /src
       format: sarif

From 7b419e33c26227a6e550706a6211788ad157cdbd Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 11:07:37 -0400
Subject: [PATCH 5/9] command

---
 scanners/boostsecurityio/poutine/module.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index 958c96bd..8e2e4a1a 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -15,5 +15,7 @@ steps:
       command:
         docker:
           image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
+          command: |
+            -c "git config --global --add safe.directory '*'"
           workdir: /src
       format: sarif

From 416be43105faccc0cd122d4471054888f8ecea9d Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 11:11:13 -0400
Subject: [PATCH 6/9] command

---
 scanners/boostsecurityio/poutine/module.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index 8e2e4a1a..ce87274f 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -15,7 +15,6 @@ steps:
       command:
         docker:
           image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
-          command: |
-            -c "git config --global --add safe.directory '*'"
+          command: analyze_local . --format sarif
           workdir: /src
       format: sarif

From 3018fb5712a10cb3e8d771dc1a989dfd0560857c Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 11:11:51 -0400
Subject: [PATCH 7/9] command

---
 scanners/boostsecurityio/poutine/module.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index ce87274f..0461dd5c 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -15,6 +15,6 @@ steps:
       command:
         docker:
           image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
-          command: analyze_local . --format sarif
+          command: poutine analyze_local . --format sarif
           workdir: /src
       format: sarif

From ac08655993306d328bae782865366e0d311c932f Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 11:14:32 -0400
Subject: [PATCH 8/9] command

---
 scanners/boostsecurityio/poutine/module.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index 0461dd5c..11234f57 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -15,6 +15,6 @@ steps:
       command:
         docker:
           image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
-          command: poutine analyze_local . --format sarif
+          command: 'poutine analyze_local . --format sarif'
           workdir: /src
       format: sarif

From 6b5476fe383f76eed9291b4c7781a8635b90735e Mon Sep 17 00:00:00 2001
From: Alexis-Maurer Fortin <alexis@boostsecurity.io>
Date: Wed, 30 Apr 2025 11:18:45 -0400
Subject: [PATCH 9/9] command

---
 scanners/boostsecurityio/poutine/module.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scanners/boostsecurityio/poutine/module.yaml b/scanners/boostsecurityio/poutine/module.yaml
index 11234f57..76508541 100644
--- a/scanners/boostsecurityio/poutine/module.yaml
+++ b/scanners/boostsecurityio/poutine/module.yaml
@@ -15,6 +15,7 @@ steps:
       command:
         docker:
           image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
-          command: 'poutine analyze_local . --format sarif'
+          command: |
+            -c "poutine analyze_local . --format sarif"
           workdir: /src
       format: sarif