BST-13272 Feat/poutine

scanners/boostsecurityio/poutine/module.yaml

@@ -0,0 +1,21 @@
+api_version: 1.0
+
+id: boostsecurityio/poutine
+name: BoostSecurity Poutine
+namespace: boostsecurityio/Poutine
+scan_types:
+  - sast
+
+config:
+  support_diff_scan: true
+  require_full_repo: true
+
+steps:
+  - scan:
+      command:
+        docker:
+          image: public.ecr.aws/boostsecurityio/boost-scanner-poutine:0d9767e@sha256:1f3ca616dcdde9e984d758dd1e78e73f834e6e1e12d07c4364a3d7d9b64918f9
+          command: |
+            -c "poutine analyze_local . --format sarif"
+          workdir: /src
+      format: sarif

scanners/boostsecurityio/poutine/rules.yaml

@@ -0,0 +1,30 @@
+rules:
+  injection:
+    categories:
+    - ALL
+    - boost-baseline
+    - boost-hardened
+    - supply-chain
+    - supply-chain-cicd-vulnerable-pipeline
+    - supply-chain-cicd-severe-issues
+    description: The pipeline contains an injection into bash or JavaScript with an expression that can contain user input. Prefer placing the expression in an environment variable instead of interpolating it directly into a script.
+    name: injection
+    group: supply-chain-cicd-vulnerable-pipeline
+    pretty_name: Serialized AI model with malicious behavior
+    ref: https://boostsecurityio.github.io/poutine/rules/injection/
+    recommended: true
+  untrusted_checkout_exec:
+    categories:
+    - ALL
+    - boost-baseline
+    - boost-hardened
+    - supply-chain
+    - supply-chain-cicd-vulnerable-pipeline
+    - supply-chain-cicd-severe-issues
+    description: The workflow appears to checkout untrusted code from a fork and uses a command that is known to allow code execution.
+    name: untrusted_checkout_exec
+    group: supply-chain-cicd-vulnerable-pipeline
+    pretty_name: Arbitrary Code Execution from Untrusted Code Changes
+    ref: https://boostsecurityio.github.io/poutine/rules/untrusted_checkout_exec/
+    recommended: true
+