BoostSecurity News, Press & Events

Stop Letting AI Ship Time Bombs: Poutine MCP for CI/CD

Now generally available in our first major release: v1.0.

In our last post, we released the BoostSecurity Safe Package MCP server: a lightweight guardrail that lets coding agents check dependency safety before they install anything. That helps stop typosquats, malware-laced releases, and risky, unmaintained packages from ever reaching your machine.

Today, we’re taking the next step in developer supply-chain defense:

Meet the Poutine MCP Server

Poutine brings Model Context Protocol (MCP) superpowers to your editor/agent so it can analyze repos and build pipelines on demand, spot dangerous CI/CD coding patterns, and validate newly generated pipelines, all inline while you code.

Read More

Vibe coding...meet safe packages.

In the previous post, we made the case that developers are big targets of attack these days. Hardly a week goes by without some malware slipping into the open source package ecosystem. Developers are affected when they directly (or transitively) download the package. 

Read More
Comic book style illustration of a confused Wild West deputy, GitHub's Dependabot, about to press an 'Auto-Merge' lever on a machine releasing gremlin-like 'Vulnerabilities'.

Weaponizing Dependabot: Pwn Request at its Finest

TL;DR: Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code. This doesn’t stop here. It can escalate to full command injection via crafted branch names and even bypass branch protection rules. Plus, we disclose two new TTPs to build upon previously known techniques.

Read More
first party code

Software Supply Chain Security: 1st Party Code Risks

After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas around what software supply chain security even is. Even more so, the range of opinions around how to effectively protect against the unique and expanding kinds of risks is confusing to say the least. And while there are plenty of supply chain security standards around, and plenty of deeply technical supply chain security resources, there wasn't anything talking about it from a business risk level. So, we put together a resource for CISOs and CTOs that explores four categories of risks;

Read More
developer risk

Software Supply Chain Security: Understanding Developer Risk

After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas around what software supply chain security even is. Even more so, the range of opinions around how to effectively protect against the unique and expanding kinds of risks is confusing to say the least. And while there are plenty of supply chain security standards around, and plenty of deeply technical supply chain security resources, there wasn't anything talking about it from a business risk level. So, we put together a resource for CISOs and CTOs that explores four categories of risks;

Read More

From Pandora's Box to Nuclear Fishing: Escalating Threats in Build Pipelines Security

 

TL;DR: We've been quiet lately—despite recent Supply Chain drama—because we wanted a clearer picture before chiming in. Attacks on popular GitHub Actions (tj-actions/changed-files and reviewdog/action-setup) have shocked us, but not surprised us. They simply proved the point we had warned about. Alarmingly, reviewdog automatically promoted “typo-fixers” to maintainers overnight. Combine that with GitHub's audit logging gaps—attackers can update releases leaving no trace—and we've got a real mess. It’s time we reassess our threat models and demand better visibility.

Read More

Under The Radar: Zero-Days in Open Source Build Pipelines

 

TL;DR: Our deep dive into open source projects’ CI/CD systems has revealed that build pipelines can be just as vulnerable as any other link in the software supply chain. We found hundreds of zero days on open source projects’ build pipelines with our detection at scale and responsibly disclosed them. Jump to the Research at Scale section to learn more.

Read More
Build Pipelines (aka CI/CD) are often a total mess…

Unveiling 'poutine': An Open Source Build Pipelines security scanner

TL;DR BoostSecurity.io is thrilled to announce ‘poutine’ – an Open Source security scanner CLI you can use to detect misconfigurations and vulnerabilities in Build Pipelines. Additionally, it can create an inventory of build-time dependencies so you can track known vulnerabilities (CVEs) as well. Today, the tool has about a dozen rules covering vulnerabilities found in GitHub Actions workflows and Gitlab pipelines. We have plans to add support for CircleCI, Azure Pipelines and more. The source code is published under the Apache 2.0 license and it is available on GitHub.

Read More