Description
Describe the bug
I have read the blog post, the README and tried some commands using the docker image. All three seem to disagree about the usage, I have found several ways that don't work but I have not found yet how to make it work.
- Argument order
The project README file gives several example commands :
docker run -e GH_TOKEN ghcr.io/boostsecurityio/poutine:latestpoutine [command] [arguments] [options]poutine analyze_org my-org/project --token "$GL_TOKEN" --scm gitlab --scm-base-uri https://gitlab.example.com
But when running the tool everything seems in a different order :
Usage:
poutine [options] <command> [<args>]
Commands:
analyze_org <org>
analyze_repo <org>/<repo>
analyze_local <path>
Options:
-format string
Output format (pretty, json, sarif) (default "pretty")
-scm string
SCM platform (github, gitlab) (default "github")
-scm-base-url string
Base URI of the self-hosted SCM instance (optional)
-threads int
Parallelization factor for scanning organizations (default 2)
-token string
SCM access token (required for the commands analyze_org, analyze_repo) (env: GH_TOKEN)
-verbose
Enable verbose logging
=> Options is now in first position
-
All option flags have a single dash in the help VS a double-dash in the README.
-
The blog post also refers to an option to analyze all projects in a self-hosted Gitlab instance, but this option seems to be unavailable in the binary :
Analyze all projects in a self-hosted Gitlab instance
$ poutine -token "$GL_TOKEN" -scm gitlab -scm-base-uri https://example.com org/repo
- There's no source specifying what format the Gitlab Token should have (I guess
user:token?)
To Reproduce
Steps to reproduce the behavior:
docker run -it ghcr.io/boostsecurityio/poutine:latest -token "$GL_TOKEN" -scm gitlab -scm-base-url gitlab.example.com
Expected behavior
A clear and concise description of how to use the tool, consistent across the help, README and other blog posts.
Desktop (please complete the following information):
- OS: Kali Linux
- Browser : whatever