boostsecurityio · SUSTAPLE117 · Aug 7, 2024 · Aug 2, 2024 · Aug 7, 2024
@@ -24,7 +24,14 @@ See the [documentation](docs/content/en/rules) for a list of rules currently sup
 
 ## Why `poutine`?
 
-In French, the word "poutine", when not referring to the [dish](https://en.wikipedia.org/wiki/Poutine), can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, `poutine` reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains. 
+In French, the word "poutine", when not referring to the [dish](https://en.wikipedia.org/wiki/Poutine), can be used to mean "messy". Inspired by the complexity and intertwined dependencies of modern open-source projects, `poutine` reflects both a nod to our Montreal roots and the often messy, complex nature of securing software supply chains.
+
+## Supported Platforms
+
+- GitHub Actions
+- Gitlab Pipelines
+- Azure DevOps
+- Pipelines As Code Tekton
 
 ## Getting Started
 

@@ -75,6 +75,58 @@ jobs:
             })
 ```
 
+## Remediation
+
+### Pipeline as Code Tekton
+
+#### Anti-Pattern
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: linters
+  annotations:
+    pipelinesascode.tekton.dev/on-event: "[push, pull_request]"
+    pipelinesascode.tekton.dev/on-target-branch: "[*]"
+    pipelinesascode.tekton.dev/task: "[git-clone]"
+spec:
+  params:
+    - name: repo_url
+      value: "{{repo_url}}"
+    - name: revision
+      value: "{{revision}}"
+  pipelineSpec:
+    params:
+      - name: repo_url
+      - name: revision
+    tasks:
+      - name: fetchit
+        displayName: "Fetch git repository"
+        params:
+          - name: url
+            value: $(params.repo_url)
+          - name: revision
+            value: $(params.revision)
+        taskRef:
+          name: git-clone
+        workspaces:
+          - name: output
+            workspace: source
+      - name: validate
+        displayName: "Injecting body in script"
+        runAfter:
+          - fetchit
+        taskSpec:
+          workspaces:
+            - name: source
+          steps:
+            - name: execute
+              image: some.registry/some-image
+              script: |
+                validate_pr "{{body.pull_request.body}}"
+...
+```
+
 ## See Also
 - [Understanding the risk of script injections](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)
 - [Good practices for mitigating script injection attacks](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks)
@@ -207,6 +207,59 @@ Organization Setting:
 Avoid activating the following settings to prevent issues:
 ![img_1.png](img_1.png)
 
+### Pipeline As Code Tekton
+
+#### Anti-Pattern
+
+```yaml
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: linters
+  annotations:
+    pipelinesascode.tekton.dev/on-event: "[push, pull_request]"
+    pipelinesascode.tekton.dev/on-target-branch: "[*]"
+    pipelinesascode.tekton.dev/task: "[git-clone]"
+spec:
+  params:
+    - name: repo_url
+      value: "{{repo_url}}"
+    - name: revision
+      value: "{{revision}}"
+  pipelineSpec:
+    params:
+      - name: repo_url
+      - name: revision
+    tasks:
+      - name: fetchit
+        displayName: "Fetch git repository"
+        params:
+          - name: url
+            value: $(params.repo_url)
+          - name: revision
+            value: $(params.revision)
+        taskRef:
+          name: git-clone
+        workspaces:
+          - name: output
+            workspace: source
+      - name: npm
+        displayName: "NPM Install"
+        runAfter:
+          - fetchit
+        taskSpec:
+          workspaces:
+            - name: source
+          steps:
+            - name: npm-install
+              image: node:16
+              workingDir: $(workspaces.source.path)
+              script: |
+                npm install
+...
+
+```
+
 
 
 ## See Also