-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ReversingLabs Workflow (Don't Merge) #782
base: main
Are you sure you want to change the base?
Changes from 31 commits
7fd39ed
12ca08a
cad2ee3
98a8c09
411d581
8d64ac9
86dfa09
6d6c3b0
36bce88
3537c38
34ee632
74ab447
29f331e
c3831e1
ae5495e
144737a
eade350
3d03c62
82133ca
17bef80
7ee5ce8
3557cf1
b9822e5
f6a6b67
0d070ac
9300351
109b6cf
8aa6b03
b72ec86
38f559e
8bdf9be
949ae59
a4427b3
a6f3838
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
name: 'Reversing Labs Scanner' | ||
description: 'Runs the Reversing Labs scanner on a specified artifact.' | ||
inputs: | ||
artifact-path: | ||
description: 'Path to the artifact to be scanned.' | ||
required: true | ||
version: | ||
description: 'Version of the artifact.' | ||
required: true | ||
repository: | ||
description: 'GitHub repository name.' | ||
required: true | ||
commit: | ||
description: 'Git commit SHA.' | ||
required: true | ||
|
||
runs: | ||
using: 'composite' | ||
steps: | ||
- name: Set up Python | ||
uses: actions/setup-python@v4 | ||
with: | ||
python-version: '3.10' | ||
|
||
- name: Install Python dependencies | ||
shell: bash | ||
run: | | ||
pip install --upgrade pip | ||
pip install boto3 requests | ||
|
||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v1 | ||
with: | ||
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }} | ||
aws-region: us-east-1 | ||
mask-aws-account-id: true | ||
|
||
- name: Install RL Wrapper | ||
shell: bash | ||
run: | | ||
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple" | ||
|
||
- name: Run RL Scanner | ||
shell: bash | ||
env: | ||
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }} | ||
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }} | ||
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }} | ||
PYTHONUNBUFFERED: 1 | ||
run: | | ||
if [ ! -f "${{ inputs.artifact-path }}" ]; then | ||
echo "Artifact not found: ${{ inputs.artifact-path }}" | ||
exit 1 | ||
fi | ||
|
||
rl-wrapper \ | ||
--artifact "${{ inputs.artifact-path }}" \ | ||
--name "${{ github.event.repository.name }}" \ | ||
--version "${{ inputs.version }}" \ | ||
--repository "${{ inputs.repository }}" \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Rather than requiring this to be passed in via a param, would it make sense just to use the default Actions var GITHUB_REPOSITORY ? assuming this is a local action, so effectively it will only ever be publishing for auth0-react. |
||
--commit "${{ inputs.commit }}" \ | ||
--build-env "github_actions" \ | ||
--suppress_output | ||
|
||
# Check the outcome of the scanner | ||
if [ $? -ne 0 ]; then | ||
echo "RL Scanner failed." | ||
echo "scan-status=failed" >> $GITHUB_ENV | ||
exit 1 | ||
else | ||
echo "RL Scanner passed." | ||
echo "scan-status=success" >> $GITHUB_ENV | ||
fi | ||
|
||
outputs: | ||
scan-status: | ||
description: 'The outcome of the scan process.' | ||
value: ${{ env.scan-status }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ on: | |
types: | ||
- closed | ||
workflow_dispatch: | ||
|
||
push: | ||
branches: | ||
- 'Add-ReversingLabs-Scanner' | ||
permissions: | ||
contents: write | ||
id-token: write # For publishing to npm using --provenance | ||
|
@@ -15,11 +17,24 @@ permissions: | |
### TODO: Also remove `npm-release` workflow from this repo's .github/workflows folder once the repo is public. | ||
|
||
jobs: | ||
rl-scanner: | ||
uses: ./.github/workflows/rl-secure.yml | ||
with: | ||
node-version: 18 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. dont think the scanner uses Node at all, does it? doesn't look like that action needs to do any building of the React SDK at all, just points the scanner to the artifact? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. we are just passing node-version for npm build. |
||
artifact-name: 'auth0-react.tgz' | ||
secrets: | ||
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} | ||
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} | ||
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} | ||
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} | ||
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} | ||
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} | ||
release: | ||
uses: ./.github/workflows/npm-release.yml | ||
needs: rl-scanner | ||
with: | ||
node-version: 18 | ||
require-build: true | ||
secrets: | ||
npm-token: ${{ secrets.NPM_TOKEN }} | ||
github-token: ${{ secrets.GITHUB_TOKEN }} | ||
github-token: ${{ secrets.GITHUB_TOKEN }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
name: RL-Secure Workflow | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
node-version: | ||
required: true | ||
type: string | ||
artifact-name: | ||
required: true | ||
type: string | ||
secrets: | ||
RLSECURE_LICENSE: | ||
required: true | ||
RLSECURE_SITE_KEY: | ||
required: true | ||
SIGNAL_HANDLER_TOKEN: | ||
required: true | ||
PRODSEC_TOOLS_USER: | ||
required: true | ||
PRODSEC_TOOLS_TOKEN: | ||
required: true | ||
PRODSEC_TOOLS_ARN: | ||
required: true | ||
|
||
jobs: | ||
rl-scanner: | ||
name: Run Reversing Labs Scanner | ||
runs-on: ubuntu-latest | ||
outputs: | ||
scan-status: ${{ steps.rl-scan-conclusion.outcome }} | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v4 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Build package | ||
uses: ./.github/actions/build | ||
with: | ||
node: ${{ inputs.node-version }} | ||
|
||
- name: Create tgz build artifact | ||
run: | | ||
tar -czvf ${{ inputs.artifact-name }} * | ||
|
||
- id: get_version | ||
uses: ./.github/actions/get-version | ||
|
||
- name: Run RL Scanner | ||
id: rl-scan-conclusion | ||
uses: ./.github/actions/rl-scanner | ||
with: | ||
artifact-path: "$(pwd)/${{ inputs.artifact-name }}" | ||
version: "${{ steps.get_version.outputs.version }}" | ||
repository: "${{ github.repository }}" | ||
commit: "${{ github.sha }}" | ||
env: | ||
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }} | ||
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }} | ||
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }} | ||
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }} | ||
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }} | ||
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }} | ||
|
||
- name: Output scan result | ||
run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should not be necessary, considering you just ran the install with the Python actions. You'll see your workflow also indicates,
So I'd suggest to remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! will remove this.