Add installer script using binstaller (#419)

Copilot · web-flow · commit 0c0759e47c73 · 2025-12-02T15:36:40.000+01:00
* Add binstaller configuration and installer script deployment
diff --git a/.config/binstaller.yml b/.config/binstaller.yml
@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/binary-install/binstaller/main/schema/InstallSpec.json
+schema: v1
+name: pipeleek
+repo: CompassSecurity/pipeleek
+asset:
+  template: ${NAME}_${VERSION}_${OS}_${ARCH}
+  rules:
+    - when:
+        os: windows
+      ext: .exe
+supported_platforms:
+  - os: linux
+    arch: amd64
+  - os: linux
+    arch: arm64
+  - os: darwin
+    arch: amd64
+  - os: darwin
+    arch: arm64
+  - os: windows
+    arch: amd64
+  - os: windows
+    arch: arm64
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -40,6 +40,12 @@ jobs:
       - name: Generate Docs
         run: go run ./cmd/pipeleek docs --github-pages
 
+      - name: Install binstaller
+        run: go install github.com/binary-install/binstaller/cmd/binst@latest
+
+      - name: Generate Installer Script
+        run: binst gen --config .config/binstaller.yml -o cli-docs/site/install.sh
+
       - name: Setup Pages
         uses: actions/configure-pages@v5
 
diff --git a/README.md b/README.md
@@ -23,6 +23,18 @@ Once secrets are discovered, further exploitation often requires additional tool
 
 To begin using Pipeleek, download the latest binary from the [Releases](https://github.com/CompassSecurity/pipeleek/releases) page.
 
+### Quick Install (Linux/macOS)
+
+Install the latest version with a single command:
+
+```bash
+curl -sL https://compasssecurity.github.io/pipeleek/install.sh | sh
+```
+
+> **⚠️ Security Warning:** Piping scripts directly to `sh` can be dangerous. Always review the script contents first at [https://compasssecurity.github.io/pipeleek/install.sh](https://compasssecurity.github.io/pipeleek/install.sh) before executing.
+
+### Install with Go
+
 Alternatively, install using Go:
 
 ```bash
diff --git a/docs/introduction/getting_started.md b/docs/introduction/getting_started.md
@@ -10,24 +10,89 @@ keywords:
   - secrets scanning tutorial
 ---
 
+<style>
+  @keyframes slide {
+    0% { transform: translateX(0); }
+    100% { transform: translateX(-100%); }
+  }
+  .secret-stream {
+    display: flex;
+    gap: 30px;
+    animation: slide 20s linear infinite;
+    font-size: 2em;
+    margin: 20px 0;
+    min-width: 200%;
+  }
+  .stream-container {
+    overflow: hidden;
+    width: 100%;
+    display: flex;
+  }
+</style>
+
 <p align="center">
   <img style="max-height: 10rem" src="https://github.com/CompassSecurity/pipeleek/blob/main/docs/logo.png?raw=true" alt="Pipeleek Logo - CI/CD Pipeline Secrets Scanner">
 </p>
 
-# Why Pipeleek? {#why}
+<div class="stream-container">
+  <div class="secret-stream">
+    <span>💎</span>
+    <span>🗝️</span>
+    <span>🔐</span>
+    <span>💳</span>
+    <span>🎫</span>
+    <span>🪙</span>
+    <span>💰</span>
+    <span>🔑</span>
+    <span>💎</span>
+    <span>🗝️</span>
+    <span>🔐</span>
+    <span>💳</span>
+    <span>🎫</span>
+    <span>🪙</span>
+    <span>💰</span>
+    <span>🔑</span>
+    <span>💎</span>
+    <span>🗝️</span>
+    <span>🔐</span>
+    <span>💳</span>
+    <span>🎫</span>
+    <span>🪙</span>
+    <span>💰</span>
+    <span>🔑</span>
+    <span>💎</span>
+    <span>🗝️</span>
+    <span>🔐</span>
+    <span>💳</span>
+    <span>🎫</span>
+    <span>🪙</span>
+    <span>💰</span>
+    <span>🔑</span>
+  </div>
+</div>
+
+## Why Pipeleek? {#why}
 
 Scanning for credentials in CI/CD pipelines is interesting because secrets often end up in pipeline logs or build artifacts that traditional Git scanners won’t check.
 This means you can catch leaked secrets that are injected or generated at runtime, not just those committed to Git.
 
 Once secrets are discovered, further exploitation often requires additional tooling. Pipeleek provides several helper commands to assist with this process.
 
-# Getting Started
-
 ## Installation
 
+### Quick Install (Linux/macOS)
+
+Install the latest version with a single command:
+
+```bash
+curl -sL https://compasssecurity.github.io/pipeleek/install.sh | sh
+```
+
+> **⚠️ Security Warning:** Piping scripts directly to `sh` can be dangerous. Always review the script contents first at [https://compasssecurity.github.io/pipeleek/install.sh](https://compasssecurity.github.io/pipeleek/install.sh) before executing.
+
 ### Install with Go
 
-The recommended way to install Pipeleek is using Go:
+Alternatively, install using Go:
 
 ```bash
 go install github.com/CompassSecurity/pipeleek/cmd/pipeleek@latest
diff --git a/docs/methodology/elk.md b/docs/methodology/elk.md
@@ -9,7 +9,7 @@ keywords:
   - log analysis
 ---
 
-# ELK Integration for Pipeline Secrets Analysis
+## ELK Integration for Pipeline Secrets Analysis
 
 To easily analyze the results you can [redirect the pipeleek](https://github.com/deviantony/docker-elk?tab=readme-ov-file#injecting-data) output using `nc` into Logstash.
 
diff --git a/docs/methodology/gitlab.md b/docs/methodology/gitlab.md
@@ -13,7 +13,7 @@ keywords:
 
 Many companies use (self-hosted) GitLab instances to manage their source codes, often exposing sensitive data through CI/CD pipelines. In times when a lot of infrastructure is deployed as code (IaC) these configurations must be source-controlled as well, putting a lot of responsibility on the source code platform used.
 
-# Anonymous Access
+## Anonymous Access
 
 If you do not have credentials for the GitLab instance you might want to look at the public repositories and test if you can sign up for an account.
 
@@ -25,7 +25,7 @@ See if you can already identify potentially sensitive data e.g. credentials in s
 The next step would be to try to create an account. Head to `https://leakycompany.com/users/sign_up` and try to register a new account.
 Sometimes you can only create an account with an email address managed by the customer, some instances require the admins to accept the register request, and others completely disable it.
 
-# Authenticated Access
+## Authenticated Access
 
 Sweet now you have access to the GitLab instance with an account.
 The first thing to look out for: What projects do I have access to? Is it more than unauthenticated?
@@ -49,8 +49,6 @@ pipeleek gl vuln -g https://leakycompany.com -t glpat-[redacted]
 2024-11-14T14:29:05+01:00 info Fetching CVEs for this version version=17.5.1-ee
 ```
 
-# Misconfigurations And Mishandling
-
 ## Enumerating CI/CD Variables And Secure Files
 
 If you already have access to projects and groups you can try to enumerate CI/CD variables and use these for potential privilege escalation/lateral movement paths.
@@ -168,7 +166,7 @@ Review the findings manually and tweak the flags according to your needs.
 
 If you found any valid credentials, e.g. personal access tokens, cloud credentials, and so on, check if you can move laterally or escalate privileges.
 
-**An example of privilege escalation:**
+### An example of privilege escalation
 
 Pipeleek identified the following based64 encode secret in the environment variable `CI_REPO_TOKEN`:
 
