Skip to content

Security

Security #407

Workflow file for this run

name: Security
on:
workflow_run:
workflows: ["Pre-Analysis"]
types:
- completed
permissions:
actions: read
pull-requests: write
jobs:
antivirus:
runs-on: ubuntu-latest
timeout-minutes: 10
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: 'Download pre analysis artifacts'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const fs = require('fs');
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.payload.workflow_run.id,
});
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr-artifacts"
})[0];
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr-artifacts.zip`, Buffer.from(download.data));
- name: 'Unzip artifacts'
run: unzip pr-artifacts.zip
- name: 'Verify bundles.json file and URL format'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const fs = require('fs')
const validateUrl = function (str) {
let urlRegex = /^(https):\/\/[^\s/$.?#].[^\s]*$/i;
let url = new RegExp(urlRegex);
if (!url.test(str)) {
throw new Error(`Invalid url : ${str}`)
}
}
let rawBundles = fs.readFileSync('bundles.json')
let bundles = JSON.parse(rawBundles)
for (let bundle of bundles) {
validateUrl(bundle)
}
- name: 'Verify bundles.json size'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
PR_NUMBER: ${{ env.pr_number }}
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const fs = require('fs')
const { PR_NUMBER } = process.env
const BUNDLES_MAX_SIZE = 20
let rawBundles = fs.readFileSync('bundles.json')
let bundles = JSON.parse(rawBundles)
if (bundles.length > BUNDLES_MAX_SIZE) {
let message = `Less than ${BUNDLES_MAX_SIZE} VirusTotal analysis per merge request allowed! `
+ `Please, reduce number of bundles (${bundles.length}/${BUNDLES_MAX_SIZE}) by opening multiple merge requests.`
+ `If no bundles binaries are added or modified, you can ignore this message.`
github.rest.issues.createComment({
issue_number: PR_NUMBER,
owner: context.repo.owner,
repo: context.repo.repo,
body: `:shield: **Virus Total Analysis Report**
${message}`
})
console.log(message)
throw new Error(message)
} else {
console.log(`Allowed bundles : ${bundles.length} / ${BUNDLES_MAX_SIZE}`)
}
- name: Retrieve bundles url
id: bundles-url
run: |
BUNDLES_JSON=$(cat bundles.json)
echo "$BUNDLES"
echo "bundles_json=$BUNDLES_JSON" >> $GITHUB_ENV
- name: Retrieve PR number
id: pr-number
run: |
PR_NUMBER=$(cat pr-number)
echo "$PR_NUMBER"
echo "pr_number=$PR_NUMBER" >> $GITHUB_ENV
- name: "Download bundles files"
id: bundles-download
run: |
readarray -t bundles <<<"$(jq -r '.[]' <<<'${{ env.bundles_json }}')"
path=()
mkdir /tmp/bundles
for bundle in ${bundles[@]}; do
echo "Retrieving bundles ${bundle}."
wget --user-agent github/owlplug-workflow --directory-prefix /tmp/bundles ${bundle}
done
files=(/tmp/bundles/*)
FILES_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${files[@]}")
echo "files_json=$FILES_JSON" >> $GITHUB_ENV
- name: VirusTotal Scan
id: vt-scan
uses: crazy-max/ghaction-virustotal@93ce6fb8ca09fed3d3d2010a8be65552ae5d3854 # v4.1.0
with:
vt_api_key: ${{ secrets.VT_API_KEY }}
request_rate: 4
files: "${{join(fromJSON(env.files_json),'\n')}}"
- name: Publish AV report
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
VT_OUTPUT: ${{ steps.vt-scan.outputs.analysis }}
PR_NUMBER: ${{ env.pr_number }}
with:
github-token: ${{secrets.GITHUB_TOKEN}}
script: |
const { VT_OUTPUT, PR_NUMBER } = process.env
// Abort script if VT_OUTPUT is empty, null or undefined
if (!VT_OUTPUT) {
return;
}
let markdown = ""
let files = VT_OUTPUT.split(",")
for (let file of files) {
markdown += "* " + file.replace("=https://", ": https://") + "\n";
}
github.rest.issues.createComment({
issue_number: PR_NUMBER,
owner: context.repo.owner,
repo: context.repo.repo,
body: `:shield: **Virus Total Analysis Report**
${markdown}`
})