遵循以下最佳实践的项目将能够自愿的自我认证,并显示他们已经实现了核心基础设施计划(OpenSSF)徽章。 显示详细资料
[](https://www.bestpractices.dev/projects/8787)
<a href="https://www.bestpractices.dev/projects/8787"><img src="https://www.bestpractices.dev/projects/8787/badge"></a>
poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD (with others soon to be supported). When given an access token with read-level access, poutine can analyze all the repositories of an organization to quickly gain insights into the security posture of the organization's software supply chain.
https://github.com/boostsecurityio/poutine/blob/main/CODE_OF_CONDUCT.md
https://github.com/boostsecurityio/poutine/blob/main/MAINTAINERS.md
https://github.com/boostsecurityio/poutine/blob/main/README.md
https://boostsecurityio.github.io/poutine/
警告:需要更长的理由。
We follow semver and so far we are still in v0 and have not had a breaking change for multiple versions, we strive to maintain backward compatibility in our machine readable formats https://github.com/boostsecurityio/poutine/releases
https://github.com/boostsecurityio/poutine/issues
https://github.com/boostsecurityio/poutine?tab=security-ov-file#readme
https://github.com/boostsecurityio/poutine/blob/main/.github/workflows/build_test.yml
https://github.com/boostsecurityio/poutine/blob/main/.github/workflows/release.yml
https://github.com/boostsecurityio/poutine#installation
https://github.com/boostsecurityio/poutine/network/dependencies
https://github.com/boostsecurityio/poutine/blob/main/.github/dependabot.yml
It's documented in our CONTRIBUTING.md https://github.com/boostsecurityio/poutine/blob/main/CONTRIBUTING.md
Our team is highly qualified in application security and we put the bar very high
No encryption of signature scheme involved for now
We always use HTTPS for all traffic
This is supported by Go 1.22
https://github.com/boostsecurityio/poutine/blob/main/.github/workflows/release.yml#L35 https://github.com/boostsecurityio/poutine/blob/main/.goreleaser.yaml#L37-L54
https://github.com/boostsecurityio/poutine/releases/tag/v0.15.1
We have strict arguments checking and even our plugin system (Rego based) is designed with protection against malicious input in mind.
Our Rego engine is configured with least privilege
CodeQL looks for problems in Go
Written in Golang
后退