From 6f2497449d7b990f7a6395d0316cf9af13a499e0 Mon Sep 17 00:00:00 2001 From: Snehil Kishore Date: Fri, 25 Oct 2024 16:10:23 +0530 Subject: [PATCH] New Changes To RL Workflow --- .github/actions/rl-scanner/action.yml | 71 ++++++++++++++++++ .github/workflows/release.yml | 13 ++++ .github/workflows/rl-scanner.yml | 103 ++++++++++---------------- 3 files changed, 125 insertions(+), 62 deletions(-) create mode 100644 .github/actions/rl-scanner/action.yml diff --git a/.github/actions/rl-scanner/action.yml b/.github/actions/rl-scanner/action.yml new file mode 100644 index 0000000..b3df2d9 --- /dev/null +++ b/.github/actions/rl-scanner/action.yml @@ -0,0 +1,71 @@ +name: 'Reversing Labs Scanner' +description: 'Runs the Reversing Labs scanner on a specified artifact.' +inputs: + artifact-path: + description: 'Path to the artifact to be scanned.' + required: true + version: + description: 'Version of the artifact.' + required: true + +runs: + using: 'composite' + steps: + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install Python dependencies + shell: bash + run: | + pip install boto3 requests + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} + aws-region: us-east-1 + mask-aws-account-id: true + + - name: Install RL Wrapper + shell: bash + run: | + pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" + + - name: Run RL Scanner + shell: bash + env: + RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} + PYTHONUNBUFFERED: 1 + run: | + if [ ! -f "${{ inputs.artifact-path }}" ]; then + echo "Artifact not found: ${{ inputs.artifact-path }}" + exit 1 + fi + + rl-wrapper \ + --artifact "${{ inputs.artifact-path }}" \ + --name "${{ github.event.repository.name }}" \ + --version "${{ inputs.version }}" \ + --repository "${{ github.repository }}" \ + --commit "${{ github.sha }}" \ + --build-env "github_actions" \ + --suppress_output + + # Check the outcome of the scanner + if [ $? -ne 0 ]; then + echo "RL Scanner failed." + echo "scan-status=failed" >> $GITHUB_ENV + exit 1 + else + echo "RL Scanner passed." + echo "scan-status=success" >> $GITHUB_ENV + fi + +outputs: + scan-status: + description: 'The outcome of the scan process.' + value: ${{ env.scan-status }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 23d5a45..fce3ea6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,19 @@ permissions: ### TODO: Also remove `get-prerelease`, `get-version`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder once the repo is public. jobs: + rl-scanner: + uses: ./.github/workflows/rl-scanner.yml + with: + php-version: 8.1 + artifact-name: 'symfony-auth0.zip' + secrets: + RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} + RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} + SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + release: if: github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/') runs-on: ubuntu-latest diff --git a/.github/workflows/rl-scanner.yml b/.github/workflows/rl-scanner.yml index 991708f..82641b1 100644 --- a/.github/workflows/rl-scanner.yml +++ b/.github/workflows/rl-scanner.yml @@ -1,25 +1,37 @@ -name: RL-Secure -run-name: rl-scanner +name: RL-Secure Workflow on: - merge_group: - workflow_dispatch: - push: - branches: ["main"] - pull_request: - types: - - opened - - synchronize + workflow_call: + inputs: + php-version: + required: true + type: string + artifact-name: + required: true + type: string + secrets: + RLSECURE_LICENSE: + required: true + RLSECURE_SITE_KEY: + required: true + SIGNAL_HANDLER_TOKEN: + required: true + PRODSEC_TOOLS_USER: + required: true + PRODSEC_TOOLS_TOKEN: + required: true + PRODSEC_TOOLS_ARN: + required: true jobs: rl-scanner: - if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request') + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest - - environment: security + outputs: + scan-status: ${{ steps.rl-scan-conclusion.outcome }} permissions: - pull-requests: write + php-version: write id-token: write # This is required for requesting the JWT steps: @@ -31,63 +43,30 @@ jobs: - name: Setup PHP uses: shivammathur/setup-php@4bd44f22a98a19e0950cbad5f31095157cc9621b # pin@2.25.4 with: - php-version: 8.1 + php-version: ${{ inputs.php-version }} - - name: Install dependencies + - name: Build Laravel shell: bash run: | - composer install --prefer-dist - - - name: List file contents - run: | - ls -la - - - name: Build PHP Package - shell: bash - run: | - zip -r symfony-package.zip src config examples composer.json README.md LICENSE.txt UPGRADING.md + zip -r ${{ inputs.artifact-name }} ./* - name: Get Artifact Version id: get_version - run: echo "::set-output name=version::$(cat .version)" - - - name: Output build artifact - id: output_build_artifact - run: | - echo "scanfile=$(ls symfony-package.zip)" >> $GITHUB_OUTPUT + uses: ./.github/actions/get-version - - name: Set up Python - uses: actions/setup-python@v4 + - name: Run RL Scanner + id: rl-scan-conclusion + uses: ./.github/actions/rl-scanner with: - python-version: "3.10" - - - name: Install Python dependencies - run: | - pip install --upgrade pip - pip install boto3 requests - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }} - aws-region: us-east-1 - mask-aws-account-id: true - - - name: Run Reversing Labs Wrapper Scanner + artifact-path: "$(pwd)/${{ inputs.artifact-name }}" + version: "${{ steps.get_version.outputs.version }}" env: RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} - WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" - PYTHONUNBUFFERED: 1 - run: | - pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \ - rl-wrapper \ - --artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \ - --version "${{ steps.get_version.outputs.version }}" \ - --name "${{ github.event.repository.name }}" \ - --repository "${{ github.repository }}" \ - --commit "${{ github.sha }}" \ - --build-env "github_actions" \ - --suppress_output - continue-on-error: true \ No newline at end of file + PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} + PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} + PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} + + - name: Output scan result + run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV \ No newline at end of file