Skip to content

Adding poutine SAST#2138

Closed
h2parson wants to merge 9 commits intoopen-quantum-safe:mainfrom
h2parson:poutine
Closed

Adding poutine SAST#2138
h2parson wants to merge 9 commits intoopen-quantum-safe:mainfrom
h2parson:poutine

Conversation

@h2parson
Copy link
Copy Markdown
Contributor

@h2parson h2parson commented May 9, 2025

This PR adds poutine to CI for static application security testing

This PR addresses issue #1866

When this feature was pushed it was observed that poutine ran as part of the CI routine which shows that the feature works

This PR does NOT change input/output behaviour of a cryptographic algorithm and does not change the list of algorithms available

@h2parson h2parson requested a review from SWilson4 as a code owner May 9, 2025 18:41
@praveksharma praveksharma self-requested a review May 9, 2025 18:48
github-advanced-security[bot]
github-advanced-security AI found potential problems May 9, 2025
View reviewed changes
Comment thread .github/workflows/basic.yml Fixed
@h2parson h2parson changed the title initial commit Adding poutine SAST May 9, 2025
initial commit
631488a 
Signed-off-by: Hayden Parsons <h2parson@Douglass-MacBook-Pro.local>
Hayden Parsons added 4 commits May 9, 2025 15:41
Signed-off-by: Hayden Parsons <h2parson@Douglass-MacBook-Pro.local>
8f6c1a5 
add upload for results.sarif
Signed-off-by: Hayden Parsons <h2parson@Douglass-MacBook-Pro.local>
f6c57dc 
add upload for results.sarif

Signed-off-by: Hayden Parsons <h2parson@Douglass-MacBook-Pro.local>
Merge branch 'poutine' of github.com:h2parson/liboqs into poutine
b9c8304 
Signed-off-by: Hayden Parsons <h2parson@Douglass-MacBook-Pro.local>
Signed-off-by: Hayden Parsons <h2parson@Douglass-MacBook-Pro.local>
5ab7d69 
yml indent
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 9, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 9, 2025
View reviewed changes
Comment thread .github/workflows/basic.yml Fixed
github-advanced-security[bot]
github-advanced-security AI found potential problems May 12, 2025
View reviewed changes
Comment thread .github/workflows/basic.yml
- name: Configure as safe directory
run: git config --global --add safe.directory /__w/liboqs/liboqs
- name: poutine - Static Application Security Testing
uses: boostsecurityio/poutine-action@main

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 9: third-party GitHubAction not pinned by hash
Click Remediation section below to solve this issue
Copy link
Copy Markdown
Member

@SWilson4 SWilson4 May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See Pravek's comment above for details on how to fix this message.

Copy link
Copy Markdown
Contributor

@aidenfoxivey aidenfoxivey Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does boostsecurityio/poutine-action itself have to be pinned to a specific version?

If so, I think this 16c6972a96ef3c8b4a151dd4b6da2ccd48ef736d is the right commit hash.

Of course, it will likely be much easier to just click a button if one exists.

@aidenfoxivey
Copy link
Copy Markdown
Contributor

aidenfoxivey commented Jul 24, 2025

Should be superseded by #2213.

@dstebila dstebila closed this Jul 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SWilson4 SWilson4 Awaiting requested review from SWilson4

@praveksharma praveksharma Awaiting requested review from praveksharma

1 more reviewer

@aidenfoxivey aidenfoxivey aidenfoxivey left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@h2parson @github-advanced-security @aidenfoxivey @SWilson4 @praveksharma @dstebila