Using poutine - SethBodine/audit-tools GitHub Wiki

Using poutine

Poutine is a security scanner for CI/CD pipeline configurations. It analyses GitHub Actions workflows, GitLab CI, Buildkite, and Azure DevOps pipelines for misconfigurations and supply chain vulnerabilities — including script injection, unpinned actions, excessive permissions, and use of compromised dependencies.

  • Scans GitHub Actions, GitLab CI, Buildkite, and Azure DevOps
  • Detects script injection, unpinned dependencies, excessive permissions
  • Works against a local repository or directly via GitHub/GitLab APIs
  • Outputs to table, JSON, and SARIF

Prepare the Environment

No setup required. Run from the shell.

Gather Data

Local Repository

poutine analyze repo <path>            # e.g. poutine analyze repo .

GitHub Repository (via API)

export GITHUB_TOKEN=<your-token>
poutine analyze repo <org>/<repo>

All Repositories in a GitHub Organisation

export GITHUB_TOKEN=<your-token>
poutine analyze org <org-name>

GitLab Repository (via API)

export GITLAB_TOKEN=<your-token>
poutine analyze repo <namespace>/<project> --scm gitlab

All Repositories in a GitLab Group

export GITLAB_TOKEN=<your-token>
poutine analyze org <group-name> --scm gitlab

Output to File

poutine analyze repo . -f json > /output/poutine-results.json
poutine analyze repo . -f sarif > /output/poutine-results.sarif

Known Issues

TBC

Additional Information

⚠️ **GitHub.com Fallback** ⚠️