⭐ poutine
FLAGSHIP scanner
Build Pipeline Security Scanner
Detect misconfigurations and vulnerabilities in your CI/CD pipelines. Scans GitHub Actions, GitLab CI, and other build systems for security issues.
$ ls -la /usr/local/bin/
Open Source Tools
Security tools and knowledge bases built by the team.
## tools
gobelin
RELEASED scanner
Go Repojacking Vulnerability Detector
Scan Go project dependencies for potential repojacking vulnerabilities. Detects missing or deleted GitHub accounts that could be hijacked by attackers.
puant
RELEASED scanner
Unicode PUA Obfuscation Detector
Tree-sitter-powered detector for malware hidden using Unicode Private Use Area characters. Catches invisible code obfuscation in JavaScript, Python, Go, and Java.
lev-calc
RELEASED analysis
LEV Vulnerability Exploitability Calculator
Calculate Likely Exploitable Vulnerability scores based on NIST CSWP 41. Predict the probability of vulnerabilities being actively exploited to prioritize patching.
bagel
COMING SOON analysis
Something tasty is baking...
Fresh out of the oven. Almost ready to serve.
smokedmeat
COMING SOON offensive
Something spicy is in the smoker...
Our first offensive tool. We're excited about this one.
## Knowledge Bases (KBs)
LOTP
Living Off The PipelineCI/CD Attack Techniques Knowledge Base
Inventory of how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-by-design features.
Attack Trees
Supply Chain Attack TreesDeciduous-Generated Threat Models
Visual attack trees for supply chain security threats, generated using the Deciduous tool. Covers source code and build system attack scenarios aligned with SLSA.