⭐ poutine
FLAGSHIP scanner
Build Pipeline Security Scanner
Detect misconfigurations and vulnerabilities in your CI/CD pipelines. Scans GitHub Actions, GitLab CI, and other build systems for security issues.
$ ls -la /usr/local/bin/
Open Source Tools
Security tools and knowledge bases built by the team.
## tools
bagel
RELEASED scanner
Developer Workstation Security Scanner
Open-source CLI that inventories security-relevant metadata on developer workstations. Detects credentials, misconfigurations, and exposed secrets across Git, SSH, cloud providers, and package managers.
gobelin
RELEASED scanner
Go Repojacking Vulnerability Detector
Scan Go project dependencies for potential repojacking vulnerabilities. Detects missing or deleted GitHub accounts that could be hijacked by attackers.
puant
RELEASED scanner
Unicode PUA Obfuscation Detector
Tree-sitter-powered detector for malware hidden using Unicode Private Use Area characters. Catches invisible code obfuscation in JavaScript, Python, Go, and Java.
lev-calc
RELEASED analysis
LEV Vulnerability Exploitability Calculator
Calculate Likely Exploitable Vulnerability scores based on NIST CSWP 41. Predict the probability of vulnerabilities being actively exploited to prioritize patching.
smokedmeat
COMING SOON offensive
Something spicy is in the smoker...
Our first offensive tool. We're excited about this one.
## Knowledge Bases (KBs)
LOTP
Living Off The PipelineCI/CD Attack Techniques Knowledge Base
Inventory of how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-by-design features.
Attack Trees
Supply Chain Attack TreesDeciduous-Generated Threat Models
Visual attack trees for supply chain security threats, generated using the Deciduous tool. Covers source code and build system attack scenarios aligned with SLSA.