Stop Letting AI Ship Time Bombs: Poutine MCP for CI/CD

Image of BoostSecurity.io
BoostSecurity.io

Now generally available in our first major release: v1.0.

In our last post, we released the BoostSecurity Safe Package MCP server: a lightweight guardrail that lets coding agents check dependency safety before they install anything. That helps stop typosquats, malware-laced releases, and risky, unmaintained packages from ever reaching your machine.

Today, we’re taking the next step in developer supply-chain defense:

Meet the Poutine MCP Server

Poutine brings Model Context Protocol (MCP) superpowers to your editor/agent so it can analyze repos and build pipelines on demand, spot dangerous CI/CD coding patterns, and validate newly generated pipelines, all inline while you code.

Why now?

Agentic coding is accelerating software creation (Claude Code, Cursor, Gemini CLI, Copilot, Windsurf, etc.). That’s great for delivery speed, but it also means agents are proposing new workflows, touching more repositories, and moving faster than traditional review gates.

Attackers know this. The recent Nx supply chain attack started because an agent generated a vulnerable workflow that got exploited.

Poutine helps agents (and humans!) audit at scale, instantly, so speed doesn’t come at the expense of security.


What Poutine does (at a glance)

🧠 MCP-native tools your agent can call:
  • analyze_org : scan every repo in a GitHub/GitLab org
  • analyze_repo : scan a single repository (branch/commit selectable)
  • analyze_local : scan a local path
  • analyze_repo_stale_branches : hunt for pull_request_target issues in stale branches
  • analyze_manifest : validate CI/CD YAML generated by the agent (GitHub Actions, GitLab CI, Azure Pipelines, Tekton)
🔒 CI/CD supply-chain checks:
  • Arbitrary Code Execution from Untrusted Code Changes
  • Confused Deputy Auto-Merge
  • Injection with Arbitrary External Contributor Input
  • Unverified Script Execution
  • Default permissions used on risky events
  • If condition always evaluates to true
  • Job uses all secrets
  • Pull Request Runs on Self-Hosted GitHub Actions Runner
  • CI Debug Enabled
  • Unpinnable CI component used
  • Unverified Script Execution
  • Build Component with a Known Vulnerability used
  • Build Platform with a Known Vulnerability used
⚙️ Works where you work:
  • Tested with Claude Code, Gemini CLI, and other MCP-compatible clients
  • No account required, just configure and go


Quickstart (2 minutes)

1) Install & auth

Make sure you’ve installed Poutine (see project README) and authenticated with GitHub:

$ gh auth login
$ export GH_TOKEN=$(gh auth token)

Poutine picks up GH_TOKEN from your shell session.

2) Add the MCP server to your client

Claude Code

$ claude mcp add poutine poutine mcp-server

Gemini CLI

$ gemini mcp add poutine poutine mcp-server

Any MCP-compatible client (stdio)
Add to your config:

"mcpServers": {
  "poutine": {
    "type": "stdio",
    "command": "poutine",
    "args": ["mcp-server"]
  }
}

That’s it. Your assistant now has a security scanner on tap.


What it feels like in practice

Validate a new workflow (agent-generated)

Prompt to your assistant:

> Create a GitHub Actions workflow that runs tests on pull requests.

Your assistant generates YAML, then automatically calls analyze_manifest to validate it. If it finds unsafe triggers, bad permissions, or unpinned actions, it suggests secure changes before you commit.

Audit a specific repo 

Prompt:

> Use Poutine to analyze the security of the repository myorg/myrepo

The assistant calls analyze_repo and you get a concise summary plus deep findings, with precise remediations that the agent can implement.

Sweep your org

Prompt:

> Use Poutine to scan all repositories in the myorg organization

Poutine’s analyze_org runs multi-repo checks in parallel (configurable threads), with options to ignore forks or target self-hosted SCMs.

Hunt for PR-target footguns in stale branches

Prompt:

> Check myorg/myrepo for pull_request_target vulnerabilities in stale branches

Use analyze_repo_stale_branches to surface risky patterns that often fly under the radar.


Secure-by-default agent workflows

With Poutine wired in, your assistant can:

  • Auto-validate every CI change it proposes
  • Suggest least-privilege tokens/permissions
  • Detect dangerous triggers
  • Generate secure remediation PRs and commit diffs

This shifts CI security left into the authoring loop, without extra toil for developers.


Design principles

  • Agent-first: Every capability is exposed as an MCP tool the agent can reason about and orchestrate.
  • Human-verifiable: Clear summaries and concrete, code-ready remediations.
  • Local-friendly: Analyze repos on your disk with analyze_local.
  • Scales up: Org-wide scans with parallelism for coverage without pain.


FAQs

Does Poutine require a BoostSecurity account?
No. Configure your MCP client and set GH_TOKEN.

Which clients are supported?
Tested with Claude Code, Gemini CLI and generally any MCP-compatible client via stdio.

Which CI systems are supported for manifest analysis?
GitHub Actions, GitLab CI, Azure Pipelines, Tekton.

Can it run against self-hosted GitHub/GitLab?
Yes, use scm_base_url and set the appropriate provider.


Resources

Happy (and secure) agentic coding!

developer risk

Software Supply Chain Security: Understanding Developer Risk

Image of Zaid Al Hamami
Zaid Al Hamami

After connecting with dozens of CISOs and CTOs, we've realized there’s a lot of diverging ideas...

Read more

BoostSecurity Exits Stealth with $12M in Seed Funding to Build Trust into the Software Supply Chain

Image of BoostSecurity.io
BoostSecurity.io

Serial entrepreneurs and industry veterans build developer-first automation platform to empower...

Read more