Skip to content

Commit

Permalink
Integrate rl-scanner (#335)
Browse files Browse the repository at this point in the history
  • Loading branch information
kailash-b authored Oct 30, 2024
2 parents 8e7618f + e1d7a1a commit 55be6ab
Show file tree
Hide file tree
Showing 3 changed files with 285 additions and 11 deletions.
71 changes: 71 additions & 0 deletions .github/actions/rl-scanner/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: 'Reversing Labs Scanner'
description: 'Runs the Reversing Labs scanner on a specified artifact.'
inputs:
artifact-path:
description: 'Path to the artifact to be scanned.'
required: true
version:
description: 'Version of the artifact.'
required: true

runs:
using: 'composite'
steps:
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Install Python dependencies
shell: bash
run: |
pip install boto3 requests
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ env.PRODSEC_TOOLS_ARN }}
aws-region: us-east-1
mask-aws-account-id: true

- name: Install RL Wrapper
shell: bash
run: |
pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
- name: Run RL Scanner
shell: bash
env:
RLSECURE_LICENSE: ${{ env.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ env.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ env.SIGNAL_HANDLER_TOKEN }}
PYTHONUNBUFFERED: 1
run: |
if [ ! -f "${{ inputs.artifact-path }}" ]; then
echo "Artifact not found: ${{ inputs.artifact-path }}"
exit 1
fi
rl-wrapper \
--artifact "${{ inputs.artifact-path }}" \
--name "${{ github.event.repository.name }}" \
--version "${{ inputs.version }}" \
--repository "${{ github.repository }}" \
--commit "${{ github.sha }}" \
--build-env "github_actions" \
--suppress_output
# Check the outcome of the scanner
if [ $? -ne 0 ]; then
echo "RL Scanner failed."
echo "scan-status=failed" >> $GITHUB_ENV
exit 1
else
echo "RL Scanner passed."
echo "scan-status=success" >> $GITHUB_ENV
fi
outputs:
scan-status:
description: 'The outcome of the scan process.'
value: ${{ env.scan-status }}
142 changes: 131 additions & 11 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,20 @@ on:
- closed
workflow_dispatch:


permissions:
contents: write
id-token: write

### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows` and append `@latest` after the common `dx-sdk-actions` repo is made public.
### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public.

jobs:

build:
name: Build
runs-on: windows-latest
environment: 'release'
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))

steps:
- name: Checkout code
uses: actions/checkout@v4
Expand Down Expand Up @@ -57,10 +57,130 @@ jobs:
retention-days: 1
compression-level: 9

rl-scanner-android:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.Android.nuspec"
artifact-name: "Auth0.OidcClient.Android.tgz"
project-path: "src/Auth0.OidcClient.Android"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-androidx:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.AndroidX.nuspec"
artifact-name: "Auth0.OidcClient.AndroidX.tgz"
project-path: "src/Auth0.OidcClient.AndroidX"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-iOS:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.iOS.nuspec"
artifact-name: "Auth0.OidcClient.iOS.tgz"
project-path: "src/Auth0.OidcClient.iOS"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-core:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.Core.nuspec"
artifact-name: "Auth0.OidcClient.Core.tgz"
project-path: "src/Auth0.OidcClient.Core"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-wpf:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.WPF.nuspec"
artifact-name: "Auth0.OidcClient.WPF.tgz"
project-path: "src/Auth0.OidcClient.WPF"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-winforms:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.WinForms.nuspec"
artifact-name: "Auth0.OidcClient.WinForms.tgz"
project-path: "src/Auth0.OidcClient.WinForms"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-uwp:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.UWP.nuspec"
artifact-name: "Auth0.OidcClient.UWP.tgz"
project-path: "src/Auth0.OidcClient.UWP"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

rl-scanner-maui:
needs: build
uses: ./.github/workflows/rl-secure.yml
with:
nuspec-file: "nuget/Auth0.OidcClient.MAUI.nuspec"
artifact-name: "Auth0.OidcClient.MAUI.tgz"
project-path: "src/Auth0.OidcClient.MAUI"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

android:
name: Android
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'android-'
project-path: "src/Auth0.OidcClient.Android"
Expand All @@ -72,7 +192,7 @@ jobs:
androidx:
name: AndroidX
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'androidx-'
project-path: "src/Auth0.OidcClient.AndroidX"
Expand All @@ -84,7 +204,7 @@ jobs:
ios:
name: iOS
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'ios-'
project-path: "src/Auth0.OidcClient.iOS"
Expand All @@ -96,7 +216,7 @@ jobs:
core:
name: Core
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'core-'
project-path: "src/Auth0.OidcClient.Core"
Expand All @@ -108,7 +228,7 @@ jobs:
wpf:
name: WPF
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'wpf-'
project-path: "src/Auth0.OidcClient.WPF"
Expand All @@ -120,7 +240,7 @@ jobs:
winforms:
name: WinForms
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'winforms-'
project-path: "src/Auth0.OidcClient.WinForms"
Expand All @@ -132,7 +252,7 @@ jobs:
uwp:
name: UWP
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'uwp-'
project-path: "src/Auth0.OidcClient.UWP"
Expand All @@ -144,7 +264,7 @@ jobs:
maui:
name: MAUI
uses: ./.github/workflows/nuget-release.yml
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]
with:
tag-prefix: 'maui-'
project-path: "src/Auth0.OidcClient.MAUI"
Expand All @@ -158,7 +278,7 @@ jobs:
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
runs-on: windows-latest
environment: release
needs: build
needs: [rl-scanner-android,rl-scanner-androidx,rl-scanner-iOS,rl-scanner-core,rl-scanner-wpf,rl-scanner-winforms,rl-scanner-uwp,rl-scanner-maui]

steps:
- name: Checkout code
Expand Down
83 changes: 83 additions & 0 deletions .github/workflows/rl-secure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: RL-Secure Workflow
run-name: rl-scanner

on:
workflow_call:
inputs:
nuspec-file:
type: string
required: true
artifact-name:
type: string
required: true
project-path:
type: string
required: true
secrets:
RLSECURE_LICENSE:
required: true
RLSECURE_SITE_KEY:
required: true
SIGNAL_HANDLER_TOKEN:
required: true
PRODSEC_TOOLS_USER:
required: true
PRODSEC_TOOLS_TOKEN:
required: true
PRODSEC_TOOLS_ARN:
required: true

jobs:
rl-scanner:
name: Run Reversing Labs scanner
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
runs-on: ubuntu-latest
outputs:
scan-status: ${{ steps.rl-scan-conclusion.outcome }}

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Setup .NET
uses: actions/setup-dotnet@v3
with:
dotnet-version: 6.0.x

- uses: actions/download-artifact@v4
with:
path: './src'
name: build

- name: Create NuGet packages
shell: pwsh
run: |
nuget pack ${{ inputs.nuspec-file }} -OutputDirectory ${{ github.workspace }}/nuget
- name: Create tgz build artifact
run: |
tar -czvf ${{ github.workspace }}/${{ inputs.artifact-name }} ${{ github.workspace }}/nuget
- id: get_version
uses: ./.github/actions/get-version
with:
working-directory: ${{ inputs.project-path }}

- name: Run RL Scanner
id: rl-scan-conclusion
uses: ./.github/actions/rl-scanner
with:
artifact-path: ${{ github.workspace }}/${{ inputs.artifact-name }}
version: "${{ steps.get_version.outputs.version }}"
env:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}

- name: Output scan result
run: echo "scan-status=${{ steps.rl-scan-conclusion.outcome }}" >> $GITHUB_ENV

0 comments on commit 55be6ab

Please sign in to comment.