Skip to content

Commit 876d745

Browse files
tanya732tanya732
authored
Add reversing lab scanner (#695)
1 parent e494378 commit 876d745

File tree

3 files changed

+153
-0
lines changed

3 files changed

+153
-0
lines changed

.github/actions/rl-scanner/action.yml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
name: 'Reversing Labs Scanner'
2+
description: 'Runs the Reversing Labs scanner on a specified artifact.'
3+
inputs:
4+
artifact-path:
5+
description: 'Path to the artifact to be scanned.'
6+
required: true
7+
version:
8+
description: 'Version of the artifact.'
9+
required: true
10+
11+
runs:
12+
using: 'composite'
13+
steps:
14+
- name: Set up Python
15+
uses: actions/setup-python@v4
16+
with:
17+
python-version: '3.10'
18+
19+
- name: Install Python dependencies
20+
shell: bash
21+
run: |
22+
pip install boto3 requests
23+
- name: Configure AWS credentials
24+
uses: aws-actions/configure-aws-credentials@v1
25+
with:
26+
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
27+
aws-region: us-east-1
28+
mask-aws-account-id: true
29+
30+
- name: Install RL Wrapper
31+
shell: bash
32+
run: |
33+
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
34+
- name: Run RL Scanner
35+
shell: bash
36+
env:
37+
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
38+
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
39+
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
40+
PYTHONUNBUFFERED: 1
41+
run: |
42+
if [ ! -f "${{ inputs.artifact-path }}" ]; then
43+
echo "Artifact not found: ${{ inputs.artifact-path }}"
44+
exit 1
45+
fi
46+
rl-wrapper \
47+
--artifact "${{ inputs.artifact-path }}" \
48+
--name "${{ github.event.repository.name }}" \
49+
--version "${{ inputs.version }}" \
50+
--repository "${{ github.repository }}" \
51+
--commit "${{ github.sha }}" \
52+
--build-env "github_actions" \
53+
--suppress_output
54+
# Check the outcome of the scanner
55+
if [ $? -ne 0 ]; then
56+
echo "RL Scanner failed."
57+
echo "scan-status=failed" >> $GITHUB_ENV
58+
exit 1
59+
else
60+
echo "RL Scanner passed."
61+
echo "scan-status=success" >> $GITHUB_ENV
62+
fi
63+
outputs:
64+
scan-status:
65+
description: 'The outcome of the scan process.'
66+
value: ${{ env.scan-status }}

.github/workflows/release.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,14 +8,28 @@ on:
88

99
permissions:
1010
contents: write
11+
id-token: write # This is required for requesting the JWT
1112

1213
### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public.
1314
### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `maven-publish`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public.
1415
### TODO: Also remove `java-release` workflow from this repo's .github/workflows folder once the repo is public.
1516

1617
jobs:
18+
rl-scanner:
19+
uses: ./.github/workflows/rl-secure.yml
20+
with:
21+
java-version: 11
22+
artifact-name: 'java-jwt.tgz'
23+
secrets:
24+
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
25+
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
26+
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
27+
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
28+
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
29+
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
1730
release:
1831
uses: ./.github/workflows/java-release.yml
32+
needs: rl-scanner
1933
with:
2034
java-version: 11.0.21-tem
2135
is-android: false

.github/workflows/rl-secure.yml

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
name: RL-Secure Workflow
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
java-version:
7+
required: true
8+
type: string
9+
artifact-name:
10+
required: true
11+
type: string
12+
secrets:
13+
RLSECURE_LICENSE:
14+
required: true
15+
RLSECURE_SITE_KEY:
16+
required: true
17+
SIGNAL_HANDLER_TOKEN:
18+
required: true
19+
PRODSEC_TOOLS_USER:
20+
required: true
21+
PRODSEC_TOOLS_TOKEN:
22+
required: true
23+
PRODSEC_TOOLS_ARN:
24+
required: true
25+
26+
jobs:
27+
checkout-build-scan-only:
28+
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
29+
runs-on: ubuntu-latest
30+
outputs:
31+
scan-status: ${{ steps.rl-scan-conclusion.outcome }}
32+
33+
steps:
34+
- name: Checkout code
35+
uses: actions/checkout@v4
36+
with:
37+
fetch-depth: 0
38+
39+
- name: Set up Java
40+
uses: actions/setup-java@v4
41+
with:
42+
distribution: temurin
43+
java-version: ${{ inputs.java-version }}
44+
45+
- name: Build with Gradle
46+
uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c
47+
with:
48+
arguments: assemble apiDiff check jacocoTestReport --continue --console=plain
49+
50+
- name: Get Artifact Version
51+
id: get_version
52+
uses: ./.github/actions/get-version
53+
54+
- name: Create tgz build artifact
55+
run: |
56+
tar -czvf ${{ inputs.artifact-name }} *
57+
58+
- name: Run RL Scanner
59+
id: rl-scan-conclusion
60+
uses: ./.github/actions/rl-scanner
61+
with:
62+
artifact-path: "$(pwd)/${{ inputs.artifact-name }}"
63+
version: "${{ steps.get_version.outputs.version }}"
64+
env:
65+
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
66+
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
67+
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
68+
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
69+
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
70+
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
71+
72+
- name: Output scan result
73+
run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV

0 commit comments

Comments
 (0)