Skip to content

Update(sandbox): Add Netcat/Socat Remote Code Execution on Host rule #537

Update(sandbox): Add Netcat/Socat Remote Code Execution on Host rule

Update(sandbox): Add Netcat/Socat Remote Code Execution on Host rule #537

Workflow file for this run

name: Rules
on:
pull_request:
branches:
- main
- release/*
push:
branches:
- main
jobs:
# retrieves the changed rules files and the Falco versions to be used
get-values:
runs-on: ubuntu-latest
outputs:
changed-files: ${{ steps.set-changed-files.outputs.changed-files }}
falco-versions: ${{ steps.set-falco-versions.outputs.versions }}
steps:
- name: Checkout rules
uses: actions/checkout@v4
- name: Get changed files
id: changed-files
if: github.event_name == 'pull_request'
uses: Ana06/[email protected]
with:
format: space-delimited
token: ${{ secrets.GITHUB_TOKEN }}
- name: Find changed rules files
id: set-changed-files
run: |
# Find any changed file located under the /rules folder that matches the naming convention <ruleset>_rules.yaml.
# See https://github.com/falcosecurity/rules/blob/main/README.md#naming-convention for details.
# Additionally, if we skip changed-files because we're not in a pull request,
# then we consider all the rules contained in the repository.
all_files="${{ steps.changed-files.outputs.all }}"
values=""
if [ -z "$all_files" ]; then
values=$(ls rules/*_rules.yaml)
else
for changed_file in $all_files; do
if [[ "${changed_file}" =~ ^rules/[^/]*_rules\.yaml$ ]]; then
values=${values}${changed_file}$'\n'
fi
done
fi
echo "changed-files=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
- name: Read Falco versions
id: set-falco-versions
run: |
values=""
while read -r line
do
values="${values}${line}"$'\n'
done < "./.github/FALCO_VERSIONS"
echo "versions=$(echo "${values}" | jq -R -s -c 'split("\n")' | jq -c 'map(select(length > 0))')" >> $GITHUB_OUTPUT
validate:
if: needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
needs: get-values
strategy:
fail-fast: false
matrix:
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }}
falco-version: ${{ fromJson(needs.get-values.outputs.falco-versions) }}
runs-on: ubuntu-latest
steps:
- name: Setup Golang
uses: actions/setup-go@v5
with:
go-version: "1.19.0"
- name: Checkout rules
uses: actions/checkout@v4
- name: Build checker tool
working-directory: build/checker
run: go build -o rules-check
- name: Test checker tool
working-directory: build/checker
run: go test ./... -cover
- name: Validate rules file
run: |
build/checker/rules-check \
validate \
--falco-image="falcosecurity/falco-no-driver:${{ matrix.falco-version }}" \
-r ${{ matrix.rules-file }}
check-version:
if: github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != ''
needs: get-values
env:
# note(jasondellaluce): using the most recent targeted Falco version
FALCO_VERSION: ${{ fromJson(needs.get-values.outputs.falco-versions)[0] }}
strategy:
fail-fast: false
matrix:
rules-file: ${{ fromJson(needs.get-values.outputs.changed-files) }}
runs-on: ubuntu-latest
steps:
- name: Setup Golang
uses: actions/setup-go@v5
with:
go-version: "1.19.0"
- name: Checkout rules
uses: actions/checkout@v4
- name: Get all git tags
run: git fetch --tags origin
- name: Get changed files
uses: Ana06/[email protected]
id: changed
with:
format: space-delimited
token: ${{ secrets.GITHUB_TOKEN }}
- name: Build checker tool
working-directory: build/checker
run: go build -o rules-check
- name: Test checker tool
working-directory: build/checker
run: go test ./... -cover
- name: Compare changed files with previous versions
id: compare
run: |
./.github/compare-rule-files.sh \
"${{ matrix.rules-file }}" \
result.txt \
build/checker/rules-check \
"falcosecurity/falco-no-driver:$FALCO_VERSION"
if [ -s result.txt ]; then
echo "comment_file=result.txt" >> $GITHUB_OUTPUT
fi
- name: Save PR info
if: steps.compare.outputs.comment_file != ''
run: |
mkdir -p ./pr
cp ${{ steps.compare.outputs.comment_file }} ./pr/COMMENT-${{ strategy.job-index }}
- name: Upload PR info as artifact
uses: actions/upload-artifact@v4
if: steps.compare.outputs.comment_file != ''
with:
name: pr-${{ strategy.job-index }}
path: pr/
retention-days: 1
upload-pr-info:
needs: [get-values, check-version]
if: ${{ !cancelled() && github.event_name == 'pull_request' && needs.get-values.outputs.changed-files != '[]' && needs.get-values.outputs.changed-files != '' }}
runs-on: ubuntu-latest
steps:
- name: Download PR infos
uses: actions/download-artifact@v4
with:
path: tmp-artifacts
- name: Save PR info
run: |
if [ ! -d "./tmp-artifacts/" ]; then
echo "No PR info found. Skipping."
exit 0
fi
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
touch ./pr/COMMENT
echo "# Rules files suggestions" >> ./pr/COMMENT
echo "" >> ./pr/COMMENT
files=$(find ./tmp-artifacts/)
for file in $files; do
if [[ "$file" =~ "COMMENT" ]]; then
cat "$file" >> ./pr/COMMENT
fi
done
echo Uploading PR info...
cat ./pr/COMMENT
echo ""
- name: Upload PR info as artifact
uses: actions/upload-artifact@v4
with:
name: pr
path: pr/
retention-days: 1
if-no-files-found: warn