Skip to content

Commit

Permalink
New Changes To RL Workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
kishore7snehil committed Oct 25, 2024
1 parent 49209c0 commit 8c006bf
Show file tree
Hide file tree
Showing 3 changed files with 119 additions and 51 deletions.
71 changes: 71 additions & 0 deletions .github/actions/rl-scanner/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: 'Reversing Labs Scanner'
description: 'Runs the Reversing Labs scanner on a specified artifact.'
inputs:
artifact-path:
description: 'Path to the artifact to be scanned.'
required: true
version:
description: 'Version of the artifact.'
required: true

runs:
using: 'composite'
steps:
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Install Python dependencies
shell: bash
run: |
pip install boto3 requests
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
aws-region: us-east-1
mask-aws-account-id: true

- name: Install RL Wrapper
shell: bash
run: |
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
- name: Run RL Scanner
shell: bash
env:
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
PYTHONUNBUFFERED: 1
run: |
if [ ! -f "${{ inputs.artifact-path }}" ]; then
echo "Artifact not found: ${{ inputs.artifact-path }}"
exit 1
fi
rl-wrapper \
--artifact "${{ inputs.artifact-path }}" \
--name "${{ github.event.repository.name }}" \
--version "${{ inputs.version }}" \
--repository "${{ github.repository }}" \
--commit "${{ github.sha }}" \
--build-env "github_actions" \
--suppress_output
# Check the outcome of the scanner
if [ $? -ne 0 ]; then
echo "RL Scanner failed."
echo "scan-status=failed" >> $GITHUB_ENV
exit 1
else
echo "RL Scanner passed."
echo "scan-status=success" >> $GITHUB_ENV
fi
outputs:
scan-status:
description: 'The outcome of the scan process.'
value: ${{ env.scan-status }}
12 changes: 12 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,18 @@ permissions:
### TODO: Also remove `get-prerelease`, `get-version`, `rubygems-publish`, `release-create`, `tag-create` and `tag-exists` actions from this repo's .github/actions folder and `ruby-release` from `./github/workflows` once the repo is public.

jobs:
rl-scanner:
uses: ./.github/workflows/rl-scanner.yml
with:
ruby-version: 3.2
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

release:
uses: ./.github/workflows/ruby-release.yml
with:
Expand Down
87 changes: 36 additions & 51 deletions .github/workflows/rl-scanner.yml
Original file line number Diff line number Diff line change
@@ -1,26 +1,35 @@
name: RL-Secure
run-name: rl-scanner
name: RL-Secure Workflow

on:
merge_group:
workflow_dispatch:
push:
branches: ["master"]
pull_request:
types:
- opened
- synchronize
workflow_call:
inputs:
ruby-version:
required: true
type: string
secrets:
RLSECURE_LICENSE:
required: true
RLSECURE_SITE_KEY:
required: true
SIGNAL_HANDLER_TOKEN:
required: true
PRODSEC_TOOLS_USER:
required: true
PRODSEC_TOOLS_TOKEN:
required: true
PRODSEC_TOOLS_ARN:
required: true

jobs:
rl-scanner:
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request')
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
runs-on: ubuntu-latest

environment: security
outputs:
scan-status: ${{ steps.rl-scan-conclusion.outcome }}

permissions:
pull-requests: write
id-token: write # This is required for requesting the JW
id-token: write # This is required for requesting the JWT

steps:
- name: Checkout code
Expand All @@ -29,7 +38,7 @@ jobs:
- name: Configure Ruby
uses: ./.github/actions/setup
with:
ruby-version: 3.2
ruby-version: ${{ inputs.ruby-version }}

- name: Build RubyGems
shell: bash
Expand All @@ -38,45 +47,21 @@ jobs:
- name: Get Artifact Version
id: get_version
run: echo "::set-output name=version::$(cat .version)"

- name: Output build artifact
id: output_build_artifact
run: |
echo "scanfile=$(ls *.gem)" >> $GITHUB_OUTPUT
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: "3.10"
uses: ./.github/actions/get-version

- name: Install Python dependencies
run: |
pip install --upgrade pip
pip install boto3 requests
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
- name: Run RL Scanner
id: rl-scan-conclusion
uses: ./.github/actions/rl-scanner
with:
role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }}
aws-region: us-east-1
mask-aws-account-id: true

- name: Run Reversing Labs Wrapper Scanner
artifact-path: "$(pwd)/*.gem"
version: "${{ steps.get_version.outputs.version }}"
env:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
PYTHONUNBUFFERED: 1
run: |
pip install rl-wrapper --index-url "$WRAPPER_INDEX_URL" && \
rl-wrapper \
--artifact "${{ steps.output_build_artifact.outputs.scanfile }}" \
--version "${{ steps.get_version.outputs.version }}" \
--name "${{ github.event.repository.name }}" \
--repository "${{ github.repository }}" \
--commit "${{ github.sha }}" \
--build-env "github_actions" \
--suppress_output
continue-on-error: true
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

- name: Output scan result
run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV

0 comments on commit 8c006bf

Please sign in to comment.