Tags: boostsecurityio/poutine
Tags
Add lotp_targets field to untrusted_checkout_exec findings (#386) Resolves the target file(s) an attacker should inject into when exploiting a pwn request vulnerability. Static targets use a lookup table (npm→package.json, make→Makefile, etc.), dynamic targets extract file paths via regex from step.run content. The field is an array (lotp_targets) to handle cases where a single run: block references multiple scripts. URL-based references are filtered out to only surface local repository files. Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Add structured metadata fields to findings for programmatic access (#385 ) * Add structured metadata fields to findings for programmatic access Adds new fields to FindingMeta for library users who need machine-readable access to security-relevant data without parsing human-readable strings: - injection_sources: Array of specific expressions being injected - lotp_tool: Living Off The Pipeline build tool (npm, pip, make, etc.) - lotp_action: LOTP GitHub Action identifier - referenced_secrets: Secrets referenced in the job (excludes GITHUB_TOKEN) The referenced_secrets field is automatically extracted when rules pass the _job field, supporting dot notation (secrets.FOO) and bracket notation (secrets['FOO'] and secrets["FOO"]). Benchmark (Apple M4 Pro): | Version | ns/op | B/op | allocs/op | |---------|-----------|-----------|-----------| | Before | 10971339 | 7149084 | 132787 | | After | 12059356 | 7858242 | 148422 | | Delta | +9.9% | +9.9% | +11.8% | Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Use hex.EncodeToString for faster fingerprint encoding Fixes perfsprint linter warning by replacing fmt.Sprintf("%x", ...) with hex.EncodeToString which is more performant. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Use require.NoError for error assertions in test Fixes testifylint warning by using require.NoError instead of assert.NoError for error checking in TestStructuredFindingFields. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Fix SARIF validation errors for GitHub CodeQL upload (#384) * Initial plan * Fix SARIF validation errors for GitHub CodeQL upload - Set index property on ToolComponentReference to 0 (pointing to first taxonomy) - Set guid property to avoid null serialization - Initialize Rules field in ToolComponent as empty array instead of null - Add comprehensive test case to validate SARIF structure Co-authored-by: fproulx-boostsecurity <76956526+fproulx-boostsecurity@users.noreply.github.com> * Fix lint error and add test for issue #384 - Replace require.Equal with require.InDelta for float comparison to fix testifylint error - Add test fixture with exact YAML from issue #384 - Add comprehensive test case TestSarifFormatIssue384 to validate the fix Co-authored-by: fproulx-boostsecurity <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update test to actually scan and use the issue-384 workflow fixture - Modified TestSarifFormatIssue384 to use InventoryScanner to scan the testdata directory - Test now parses the actual workflow file and runs OPA analysis to generate findings - Added imports for scanner and opa packages - Test validates that issue-384.yml workflow is found and scanned - SARIF output is generated from real scan results instead of mock data Co-authored-by: fproulx-boostsecurity <76956526+fproulx-boostsecurity@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: fproulx-boostsecurity <76956526+fproulx-boostsecurity@users.noreply.github.com>
PreviousNext