diff --git a/README.md b/README.md index eac0a0ad..49ecfe2a 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,14 @@ See the [documentation](docs/content/en/rules) for a list of rules currently sup ## Why `poutine`? -In French, the word "poutine", when not referring to the [dish](https://en.wikipedia.org/wiki/Poutine), can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, `poutine` reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains. +In French, the word "poutine", when not referring to the [dish](https://en.wikipedia.org/wiki/Poutine), can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, `poutine` reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains. + +## Supported Platforms + +- GitHub Actions +- Gitlab Pipelines +- Azure DevOps +- Pipelines As Code Tekton ## Getting Started diff --git a/docs/content/en/rules/injection.md b/docs/content/en/rules/injection.md index d2e8ba4a..a7773a66 100644 --- a/docs/content/en/rules/injection.md +++ b/docs/content/en/rules/injection.md @@ -75,6 +75,58 @@ jobs: }) ``` +## Remediation + +### Pipeline as Code Tekton + +#### Anti-Pattern +```yaml +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + name: linters + annotations: + pipelinesascode.tekton.dev/on-event: "[push, pull_request]" + pipelinesascode.tekton.dev/on-target-branch: "[*]" + pipelinesascode.tekton.dev/task: "[git-clone]" +spec: + params: + - name: repo_url + value: "{{repo_url}}" + - name: revision + value: "{{revision}}" + pipelineSpec: + params: + - name: repo_url + - name: revision + tasks: + - name: fetchit + displayName: "Fetch git repository" + params: + - name: url + value: $(params.repo_url) + - name: revision + value: $(params.revision) + taskRef: + name: git-clone + workspaces: + - name: output + workspace: source + - name: validate + displayName: "Injecting body in script" + runAfter: + - fetchit + taskSpec: + workspaces: + - name: source + steps: + - name: execute + image: some.registry/some-image + script: | + validate_pr "{{body.pull_request.body}}" +... +``` + ## See Also - [Understanding the risk of script injections](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections) - [Good practices for mitigating script injection attacks](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks) diff --git a/docs/content/en/rules/untrusted_checkout_exec.md b/docs/content/en/rules/untrusted_checkout_exec.md index 9d91518f..647c274c 100644 --- a/docs/content/en/rules/untrusted_checkout_exec.md +++ b/docs/content/en/rules/untrusted_checkout_exec.md @@ -207,6 +207,59 @@ Organization Setting: Avoid activating the following settings to prevent issues: ![img_1.png](img_1.png) +### Pipeline As Code Tekton + +#### Anti-Pattern + +```yaml +apiVersion: tekton.dev/v1beta1 +kind: PipelineRun +metadata: + name: linters + annotations: + pipelinesascode.tekton.dev/on-event: "[push, pull_request]" + pipelinesascode.tekton.dev/on-target-branch: "[*]" + pipelinesascode.tekton.dev/task: "[git-clone]" +spec: + params: + - name: repo_url + value: "{{repo_url}}" + - name: revision + value: "{{revision}}" + pipelineSpec: + params: + - name: repo_url + - name: revision + tasks: + - name: fetchit + displayName: "Fetch git repository" + params: + - name: url + value: $(params.repo_url) + - name: revision + value: $(params.revision) + taskRef: + name: git-clone + workspaces: + - name: output + workspace: source + - name: npm + displayName: "NPM Install" + runAfter: + - fetchit + taskSpec: + workspaces: + - name: source + steps: + - name: npm-install + image: node:16 + workingDir: $(workspaces.source.path) + script: | + npm install +... + +``` + ## See Also