Security #407
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security | |
on: | |
workflow_run: | |
workflows: ["Pre-Analysis"] | |
types: | |
- completed | |
permissions: | |
actions: read | |
pull-requests: write | |
jobs: | |
antivirus: | |
runs-on: ubuntu-latest | |
timeout-minutes: 10 | |
if: > | |
github.event.workflow_run.event == 'pull_request' && | |
github.event.workflow_run.conclusion == 'success' | |
steps: | |
- name: 'Download pre analysis artifacts' | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const fs = require('fs'); | |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
run_id: context.payload.workflow_run.id, | |
}); | |
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { | |
return artifact.name == "pr-artifacts" | |
})[0]; | |
let download = await github.rest.actions.downloadArtifact({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
artifact_id: matchArtifact.id, | |
archive_format: 'zip', | |
}); | |
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr-artifacts.zip`, Buffer.from(download.data)); | |
- name: 'Unzip artifacts' | |
run: unzip pr-artifacts.zip | |
- name: 'Verify bundles.json file and URL format' | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const fs = require('fs') | |
const validateUrl = function (str) { | |
let urlRegex = /^(https):\/\/[^\s/$.?#].[^\s]*$/i; | |
let url = new RegExp(urlRegex); | |
if (!url.test(str)) { | |
throw new Error(`Invalid url : ${str}`) | |
} | |
} | |
let rawBundles = fs.readFileSync('bundles.json') | |
let bundles = JSON.parse(rawBundles) | |
for (let bundle of bundles) { | |
validateUrl(bundle) | |
} | |
- name: 'Verify bundles.json size' | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
PR_NUMBER: ${{ env.pr_number }} | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const fs = require('fs') | |
const { PR_NUMBER } = process.env | |
const BUNDLES_MAX_SIZE = 20 | |
let rawBundles = fs.readFileSync('bundles.json') | |
let bundles = JSON.parse(rawBundles) | |
if (bundles.length > BUNDLES_MAX_SIZE) { | |
let message = `Less than ${BUNDLES_MAX_SIZE} VirusTotal analysis per merge request allowed! ` | |
+ `Please, reduce number of bundles (${bundles.length}/${BUNDLES_MAX_SIZE}) by opening multiple merge requests.` | |
+ `If no bundles binaries are added or modified, you can ignore this message.` | |
github.rest.issues.createComment({ | |
issue_number: PR_NUMBER, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `:shield: **Virus Total Analysis Report** | |
${message}` | |
}) | |
console.log(message) | |
throw new Error(message) | |
} else { | |
console.log(`Allowed bundles : ${bundles.length} / ${BUNDLES_MAX_SIZE}`) | |
} | |
- name: Retrieve bundles url | |
id: bundles-url | |
run: | | |
BUNDLES_JSON=$(cat bundles.json) | |
echo "$BUNDLES" | |
echo "bundles_json=$BUNDLES_JSON" >> $GITHUB_ENV | |
- name: Retrieve PR number | |
id: pr-number | |
run: | | |
PR_NUMBER=$(cat pr-number) | |
echo "$PR_NUMBER" | |
echo "pr_number=$PR_NUMBER" >> $GITHUB_ENV | |
- name: "Download bundles files" | |
id: bundles-download | |
run: | | |
readarray -t bundles <<<"$(jq -r '.[]' <<<'${{ env.bundles_json }}')" | |
path=() | |
mkdir /tmp/bundles | |
for bundle in ${bundles[@]}; do | |
echo "Retrieving bundles ${bundle}." | |
wget --user-agent github/owlplug-workflow --directory-prefix /tmp/bundles ${bundle} | |
done | |
files=(/tmp/bundles/*) | |
FILES_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${files[@]}") | |
echo "files_json=$FILES_JSON" >> $GITHUB_ENV | |
- name: VirusTotal Scan | |
id: vt-scan | |
uses: crazy-max/ghaction-virustotal@93ce6fb8ca09fed3d3d2010a8be65552ae5d3854 # v4.1.0 | |
with: | |
vt_api_key: ${{ secrets.VT_API_KEY }} | |
request_rate: 4 | |
files: "${{join(fromJSON(env.files_json),'\n')}}" | |
- name: Publish AV report | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
VT_OUTPUT: ${{ steps.vt-scan.outputs.analysis }} | |
PR_NUMBER: ${{ env.pr_number }} | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const { VT_OUTPUT, PR_NUMBER } = process.env | |
// Abort script if VT_OUTPUT is empty, null or undefined | |
if (!VT_OUTPUT) { | |
return; | |
} | |
let markdown = "" | |
let files = VT_OUTPUT.split(",") | |
for (let file of files) { | |
markdown += "* " + file.replace("=https://", ": https://") + "\n"; | |
} | |
github.rest.issues.createComment({ | |
issue_number: PR_NUMBER, | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
body: `:shield: **Virus Total Analysis Report** | |
${markdown}` | |
}) |