thomasboni
6 hours ago
I've spent ten years working on CI/CD pipelines. Last year, I found a green, good-looking pipeline that was pushing my customer code & secrets on a malicious server.
Tons of security tools didn't see it, just focused on the app code & dependencies. Almost nobody cares about how the pipeline is built.
That’s why I built plumber. It checks 40+ controls in your GitHub workflow (or GitLab CI) and gives you an A-E score with a list of issues to fix.
Controls are written in Rego but today you can’t add your own controls yet by dropping in a Rego file.
Do you think you haveh an A?
```
brew tap getplumber/plumber
brew install plumber
cd <your-git-repo>
plumber config generate # generates default configuration yaml file
plumber analyze
```