Stop Letting AI Ship Time Bombs: Poutine MCP for CI/CD

Now generally available in our first major release: v1.0.

In our last post, we released the BoostSecurity Safe Package MCP server: a lightweight guardrail that lets coding agents check dependency safety before they install anything. That helps stop typosquats, malware-laced releases, and risky, unmaintained packages from ever reaching your machine.

Today, we’re taking the next step in developer supply-chain defense:

Meet the Poutine MCP Server

Poutine brings Model Context Protocol (MCP) superpowers to your editor/agent so it can analyze repos and build pipelines on demand, spot dangerous CI/CD coding patterns, and validate newly generated pipelines, all inline while you code.

Why now?

Agentic coding is accelerating software creation (Claude Code, Cursor, Gemini CLI, Copilot, Windsurf, etc.). That’s great for delivery speed, but it also means agents are proposing new workflows, touching more repositories, and moving faster than traditional review gates.

Attackers know this. The recent Nx supply chain attack started because an agent generated a vulnerable workflow that got exploited.

Poutine helps agents (and humans!) audit at scale, instantly, so speed doesn’t come at the expense of security.

What Poutine does (at a glance)

• analyze_org : scan every repo in a GitHub/GitLab org
• analyze_repo : scan a single repository (branch/commit selectable)
• analyze_local : scan a local path
• analyze_repo_stale_branches : hunt for pull_request_target issues in stale branches
• analyze_manifest : validate CI/CD YAML generated by the agent (GitHub Actions, GitLab CI, Azure Pipelines, Tekton)

• Arbitrary Code Execution from Untrusted Code Changes
• Confused Deputy Auto-Merge
• Injection with Arbitrary External Contributor Input
• Unverified Script Execution
• Default permissions used on risky events
• If condition always evaluates to true
• Job uses all secrets
• Pull Request Runs on Self-Hosted GitHub Actions Runner
• CI Debug Enabled
• Unpinnable CI component used
• Unverified Script Execution
• Build Component with a Known Vulnerability used
• Build Platform with a Known Vulnerability used

• Tested with Claude Code, Gemini CLI, and other MCP-compatible clients
• No account required, just configure and go
  
  

Quickstart (2 minutes)

1) Install & auth

Make sure you’ve installed Poutine (see project README) and authenticated with GitHub:

$ gh auth login
$ export GH_TOKEN=$(gh auth token)

Poutine picks up GH_TOKEN from your shell session.

2) Add the MCP server to your client

Claude Code

$ claude mcp add poutine poutine mcp-server

Gemini CLI

$ gemini mcp add poutine poutine mcp-server

Any MCP-compatible client (stdio)
Add to your config:

"mcpServers": {
  "poutine": {
    "type": "stdio",
    "command": "poutine",
    "args": ["mcp-server"]
  }
}

That’s it. Your assistant now has a security scanner on tap.

What it feels like in practice

Validate a new workflow (agent-generated)

Prompt to your assistant:

> Create a GitHub Actions workflow that runs tests on pull requests.

Your assistant generates YAML, then automatically calls analyze_manifest to validate it. If it finds unsafe triggers, bad permissions, or unpinned actions, it suggests secure changes before you commit.

Audit a specific repo 

Prompt:

> Use Poutine to analyze the security of the repository myorg/myrepo

The assistant calls analyze_repo and you get a concise summary plus deep findings, with precise remediations that the agent can implement.

Sweep your org

Prompt:

> Use Poutine to scan all repositories in the myorg organization

Poutine’s analyze_org runs multi-repo checks in parallel (configurable threads), with options to ignore forks or target self-hosted SCMs.

Hunt for PR-target footguns in stale branches

Prompt:

> Check myorg/myrepo for pull_request_target vulnerabilities in stale branches

Use analyze_repo_stale_branches to surface risky patterns that often fly under the radar.

Secure-by-default agent workflows

With Poutine wired in, your assistant can:

• Auto-validate every CI change it proposes
• Suggest least-privilege tokens/permissions
• Detect dangerous triggers
• Generate secure remediation PRs and commit diffs

This shifts CI security left into the authoring loop, without extra toil for developers.

Design principles

• Agent-first: Every capability is exposed as an MCP tool the agent can reason about and orchestrate.
• Human-verifiable: Clear summaries and concrete, code-ready remediations.
• Local-friendly: Analyze repos on your disk with analyze_local.
• Scales up: Org-wide scans with parallelism for coverage without pain.
  
  

FAQs

Does Poutine require a BoostSecurity account?
No. Configure your MCP client and set GH_TOKEN.

Which clients are supported?
Tested with Claude Code, Gemini CLI and generally any MCP-compatible client via stdio.

Which CI systems are supported for manifest analysis?
GitHub Actions, GitLab CI, Azure Pipelines, Tekton.

Can it run against self-hosted GitHub/GitLab?
Yes, use scm_base_url and set the appropriate provider.

Resources

• Model Context Protocol: https://spec.modelcontextprotocol.io/
• Poutine docs & README (installation, usage)
• Claude Code MCP Guide: https://docs.claude.com/en/docs/claude-code/mcp
• Gemini CLI MCP Guide: https://github.com/google-gemini/gemini-cli/blob/main/docs/tools/mcp-server.md
• Poutine original release blog: https://boostsecurity.io/blog/unveiling-poutine-an-open-source-build-pipelines-security-scanner 

Happy (and secure) agentic coding!